| Main Archive Page > Month Archives > snort-sigs archives |
Re: [Snort-sigs] Proposed Signatures - Blackhole Exploit Kit
From: <lists_at_nospam>Date: Wed Mar 14 2012 - 00:37:19 GMT
To: Joel Esler <jesler@sourcefire.com>
On 03/13/12 16:57, Joel Esler wrote:
> Nathan, fixed up to:
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> classtype:trojan-activity; sid:21583; rev:1;)
I strongly believe you need a fast_pattern on the "qwe123" string as it is the
most likely to be globally unique as compared to "%PDF-1.6". Disagree?
Also "malicioius" was misspelled so corrected but this would have been likely
caught in QA so just pointing it out so it's not overlooked, not being pedantic.
I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is wise, I
don't recommend dropping this.
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)
Thanks,
Nathan
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!