jesler at ...435...
Tue Mar 13 12:03:19 EDT 2012
Well, we have a rule that fires on that initially..
But it's set to noalert as we think it'll be FP prone.
On Tue, Mar 13, 2012 at 11:57 AM, Community Signatures <lists at ...3397...
> On 03/13/12 10:43, Joel Esler wrote:
> > So an additional rule may not add value.
> Well, looking at these SIDs that fired they're not so much related to
> the initial landing redirect (document.location) which I feel is as
> important as the landing page itself.
> The landing page and it's content can vary, however, I believe there to
> be value in detection of the specific terse structure of the landing
> redirect itself, in this case nothing more than a document.location
> statement to the 16-byte hex Blackhole landing page on showthread.php
> (VBulletin emulation anyone?)
> I think there's still value in the proposed as there isn't any 1:1
> overlap, just SIDs firing *after* landing. Disagree?
> The PCRE is missing an escape for period in "showthread.php" -- sadly
> this still doesn't make it fire (argh).
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs