Re: Proposed Signatures - Blackhole Exploit Kit

[Joel Esler <jesler () sourcefire com>]

On Tue, Mar 13, 2012 at 9:13 PM, lists () packetmail net
<lists () packetmail net>wrote:

> Thanks Joel for the reply, let me reply in line:
>
> On 03/13/12 19:55, Joel Esler wrote:
> > That's a pretty old version of PDF marking. It's almost worth it to sig
> > that. ;)
>
> You're right but I know from time to time the old legitimate floats
> around...
>
> > It's a negligible difference as far as performance goes  in my testing.
> > It's more worth it, IMO, to ensure that the qwe123 is after the PDF
> content
> > match. At least it's in the file. I'll check again.
>
> So help me understand this one if you don't mind and I appreciate your
> wisdom.
> It's my understanding, with regard to fast_pattern at least (not
> fast_pattern:only), that the content match and distance:0 modifiers are
> still
> applied.
>
> Yes, they do.  I tested it again, and I was right.  The PDF check is
faster than the qwe123 check by a factor of about 4.  (If you fast pattern
the qwe123 instead of the PDF it takes 4 times as long to evaluate)



> As I understand the rule evaluation to be with regard to
> flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123";
> distance:0; fast_pattern;
>
> 1) fast_pattern case-insensitive match against the file_data buffer for
> "qwe123"
> 2) content match check for "%PDF-1.6" against the file_data buffer.
> 3) content match check for "qwe123" against the file_data buffer relative
> to the
> previous content match of "%PDF-1.6".
> 4) flowbit check for state of file.pdf

Actually, #4 should be #2.  Since the rule options are read left to right
after the header.  (Header is read last.)


> Is this execution path correct?  As I understand it the content modifiers
> like
> within, distance, etc still apply to a content match which has been
> explicitly
> set to fast_pattern (not fast_pattern:only).

Correct.  fast_pattern is not case insensitive though.  fast_pattern:only,
however, is.


> <snip>
>
> > I'm also future proofing the rule for future enhancements to the Snort
> > engine.  By doing what I did.
>
> Can you elaborate more on this?
Not yet.  As I said in my blog post, 2012 is going to be a big year for
Snort.  I'll announce things when we are ready to do so.  I don't like to
put things out until we have something solid.  I don't like to over promise
and under deliver.


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!