[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

Joel Esler jesler at ...435...
Tue Mar 13 12:03:19 EDT 2012


Well, we have a rule that fires on that initially..

21347

But it's set to noalert as we think it'll be FP prone.

Thoughts?

On Tue, Mar 13, 2012 at 11:57 AM, Community Signatures <lists at ...3397...
> wrote:

> On 03/13/12 10:43, Joel Esler wrote:
> >
> > So an additional rule may not add value.
>
> Well, looking at these SIDs that fired they're not so much related to
> the initial landing redirect (document.location) which I feel is as
> important as the landing page itself.
>
> The landing page and it's content can vary, however, I believe there to
> be value in detection of the specific terse structure of the landing
> redirect itself, in this case nothing more than a document.location
> statement to the 16-byte hex Blackhole landing page on showthread.php
> (VBulletin emulation anyone?)
>
> I think there's still value in the proposed as there isn't any 1:1
> overlap, just SIDs firing *after* landing.  Disagree?
>
> The PCRE is missing an escape for period in "showthread.php" -- sadly
> this still doesn't make it fire (argh).
>
> Thanks,
> Nathan
>
>


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/a443ef6d/attachment.html>


More information about the Snort-sigs mailing list