[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"

Joel Esler jesler at ...435...
Wed Feb 29 17:22:09 EST 2012


On Feb 29, 2012, at 4:35 PM, Community Signatures wrote:
> On 02/29/12 15:19, Matt Olney wrote:
>> Since you're associating with an exploit kit, rather than an active
>> trojan, and given that exploits are typically aimed at user
>> applications, I'd use classtype:attempted-user;
> 
> Understood, on the ET side we tend to use trojan-activity because the
> point of the exploit kit is to install a trojan/malware.  I always
> viewed attempted-user as privilege escalation.  I may just leave
> classtype off and let VRT apply this and the metadata as they feel fit.

We'll be handling this differently very shortly.  Classtype work will be later.

Cryptic, I know, but you'll understand when you see the blog post.

J

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120229/e107fc97/attachment.html>


More information about the Snort-sigs mailing list