Snort mailing list archives
Re: Proposed Signatures - Blackhole Exploit Kit
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 13 Mar 2012 20:13:23 -0500
Thanks Joel for the reply, let me reply in line: On 03/13/12 19:55, Joel Esler wrote:
That's a pretty old version of PDF marking. It's almost worth it to sig that. ;)
You're right but I know from time to time the old legitimate floats around...
It's a negligible difference as far as performance goes in my testing. It's more worth it, IMO, to ensure that the qwe123 is after the PDF content match. At least it's in the file. I'll check again.
So help me understand this one if you don't mind and I appreciate your wisdom. It's my understanding, with regard to fast_pattern at least (not fast_pattern:only), that the content match and distance:0 modifiers are still applied. As I understand the rule evaluation to be with regard to flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern; 1) fast_pattern case-insensitive match against the file_data buffer for "qwe123" 2) content match check for "%PDF-1.6" against the file_data buffer. 3) content match check for "qwe123" against the file_data buffer relative to the previous content match of "%PDF-1.6". 4) flowbit check for state of file.pdf Is this execution path correct? As I understand it the content modifiers like within, distance, etc still apply to a content match which has been explicitly set to fast_pattern (not fast_pattern:only). Educate me if I'm wrong please.
I'm also future proofing the rule for future enhancements to the Snort engine. By doing what I did.
Can you elaborate more on this? Thanks, Nathan ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signatures - Blackhole Exploit Kit Community Proposed (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)