lists at ...3397...
Tue Mar 13 11:57:54 EDT 2012
On 03/13/12 10:43, Joel Esler wrote:
> So an additional rule may not add value.
Well, looking at these SIDs that fired they're not so much related to
the initial landing redirect (document.location) which I feel is as
important as the landing page itself.
The landing page and it's content can vary, however, I believe there to
be value in detection of the specific terse structure of the landing
redirect itself, in this case nothing more than a document.location
statement to the 16-byte hex Blackhole landing page on showthread.php
(VBulletin emulation anyone?)
I think there's still value in the proposed as there isn't any 1:1
overlap, just SIDs firing *after* landing. Disagree?
The PCRE is missing an escape for period in "showthread.php" -- sadly
this still doesn't make it fire (argh).
More information about the Snort-sigs