[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

Community Signatures lists at ...3397...
Tue Mar 13 11:57:54 EDT 2012


On 03/13/12 10:43, Joel Esler wrote:
> 
> So an additional rule may not add value.

Well, looking at these SIDs that fired they're not so much related to
the initial landing redirect (document.location) which I feel is as
important as the landing page itself.

The landing page and it's content can vary, however, I believe there to
be value in detection of the specific terse structure of the landing
redirect itself, in this case nothing more than a document.location
statement to the 16-byte hex Blackhole landing page on showthread.php
(VBulletin emulation anyone?)

I think there's still value in the proposed as there isn't any 1:1
overlap, just SIDs firing *after* landing.  Disagree?

The PCRE is missing an escape for period in "showthread.php" -- sadly
this still doesn't make it fire (argh).

Thanks,
Nathan





More information about the Snort-sigs mailing list