Snort mailing list archives
Re: Proposed Signatures - Blackhole Exploit Kit
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 21:57:43 -0400
On Tue, Mar 13, 2012 at 9:13 PM, lists () packetmail net <lists () packetmail net>wrote:
Thanks Joel for the reply, let me reply in line: On 03/13/12 19:55, Joel Esler wrote:That's a pretty old version of PDF marking. It's almost worth it to sig that. ;)You're right but I know from time to time the old legitimate floats around...It's a negligible difference as far as performance goes in my testing. It's more worth it, IMO, to ensure that the qwe123 is after the PDFcontentmatch. At least it's in the file. I'll check again.So help me understand this one if you don't mind and I appreciate your wisdom. It's my understanding, with regard to fast_pattern at least (not fast_pattern:only), that the content match and distance:0 modifiers are still applied. Yes, they do. I tested it again, and I was right. The PDF check is
faster than the qwe123 check by a factor of about 4. (If you fast pattern the qwe123 instead of the PDF it takes 4 times as long to evaluate)
As I understand the rule evaluation to be with regard to flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern; 1) fast_pattern case-insensitive match against the file_data buffer for "qwe123" 2) content match check for "%PDF-1.6" against the file_data buffer. 3) content match check for "qwe123" against the file_data buffer relative to the previous content match of "%PDF-1.6". 4) flowbit check for state of file.pdf
Actually, #4 should be #2. Since the rule options are read left to right after the header. (Header is read last.)
Is this execution path correct? As I understand it the content modifiers like within, distance, etc still apply to a content match which has been explicitly set to fast_pattern (not fast_pattern:only).
Correct. fast_pattern is not case insensitive though. fast_pattern:only, however, is.
<snip>I'm also future proofing the rule for future enhancements to the Snort engine. By doing what I did.Can you elaborate more on this?
Not yet. As I said in my blog post, 2012 is going to be a big year for Snort. I'll announce things when we are ready to do so. I don't like to put things out until we have something solid. I don't like to over promise and under deliver. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signatures - Blackhole Exploit Kit Community Proposed (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit lists () packetmail net (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Community Signatures (Mar 13)
- Re: Proposed Signatures - Blackhole Exploit Kit Joel Esler (Mar 13)