Re: [Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

Well, we have a rule that fires on that initially..

21347

But it's set to noalert as we think it'll be FP prone.

Thoughts?

On Tue, Mar 13, 2012 at 11:57 AM, Community Signatures <lists@packetmail.net
> wrote:

> On 03/13/12 10:43, Joel Esler wrote:
> >
> > So an additional rule may not add value.
>
> Well, looking at these SIDs that fired they're not so much related to
> the initial landing redirect (document.location) which I feel is as
> important as the landing page itself.
>
> The landing page and it's content can vary, however, I believe there to
> be value in detection of the specific terse structure of the landing
> redirect itself, in this case nothing more than a document.location
> statement to the 16-byte hex Blackhole landing page on showthread.php
> (VBulletin emulation anyone?)
>
> I think there's still value in the proposed as there isn't any 1:1
> overlap, just SIDs firing *after* landing. Disagree?
>
> The PCRE is missing an escape for period in "showthread.php" -- sadly
> this still doesn't make it fire (argh).
>
> Thanks,
> Nathan
>
>

-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

• This message: [ Message body ]
• Next message: Community Signatures: "Re: [Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php""
• Previous message: Community Signatures: "Re: [Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php""
• In reply to: Community Signatures: "Re: [Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php""
• Next in thread: Community Signatures: "Re: [Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php""
• Reply: Community Signatures: "Re: [Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php""

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]