[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"
jesler at ...435...
Wed Feb 29 17:22:09 EST 2012
On Feb 29, 2012, at 4:35 PM, Community Signatures wrote:
> On 02/29/12 15:19, Matt Olney wrote:
>> Since you're associating with an exploit kit, rather than an active
>> trojan, and given that exploits are typically aimed at user
>> applications, I'd use classtype:attempted-user;
> Understood, on the ET side we tend to use trojan-activity because the
> point of the exploit kit is to install a trojan/malware. I always
> viewed attempted-user as privilege escalation. I may just leave
> classtype off and let VRT apply this and the metadata as they feel fit.
We'll be handling this differently very shortly. Classtype work will be later.
Cryptic, I know, but you'll understand when you see the blog post.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs