Snort mailing list archives

Re: Proposed Signatures - Blackhole Exploit Kit

From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 13 Mar 2012 20:13:23 -0500

Thanks Joel for the reply, let me reply in line:

On 03/13/12 19:55, Joel Esler wrote:

That's a pretty old version of PDF marking. It's almost worth it to sig
that. ;)


You're right but I know from time to time the old legitimate floats around...

It's a negligible difference as far as performance goes  in my testing.
It's more worth it, IMO, to ensure that the qwe123 is after the PDF content
match. At least it's in the file. I'll check again.


So help me understand this one if you don't mind and I appreciate your wisdom.
It's my understanding, with regard to fast_pattern at least (not
fast_pattern:only), that the content match and distance:0 modifiers are still
applied.

As I understand the rule evaluation to be with regard to
flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123";
distance:0; fast_pattern;

1) fast_pattern case-insensitive match against the file_data buffer for "qwe123"
2) content match check for "%PDF-1.6" against the file_data buffer.
3) content match check for "qwe123" against the file_data buffer relative to the
previous content match of "%PDF-1.6".
4) flowbit check for state of file.pdf

Is this execution path correct?  As I understand it the content modifiers like
within, distance, etc still apply to a content match which has been explicitly
set to fast_pattern (not fast_pattern:only).

Educate me if I'm wrong please.

I'm also future proofing the rule for future enhancements to the Snort
engine.  By doing what I did.


Can you elaborate more on this?

Thanks,
Nathan


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Proposed Signatures - Blackhole Exploit Kit Community Proposed (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
  - Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
    - Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
    - Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
    - Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
    - Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
    - Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)