[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

Community Signatures lists at ...3397...
Tue Mar 13 12:20:08 EDT 2012

On 03/13/12 11:03, Joel Esler wrote:
> Well, we have a rule that fires on that initially..
> 21347
> But it's set to noalert as we think it'll be FP prone.
> Thoughts?

Ouch I completely missed that one, it's new and wasn't in my tarball.
Yes, it will false-positive I had tried something similar and the URI
structures in a few sites, especially video sites, cause it to false.
It is worth setting a flowbit though.

I'm open to your opinion, I do think there to be value in detection of a
terse/basic 'document.location' redirect.  Perhaps something like with
the direction $EXTERNAL_NET -> $HOME_NET:

file_data; content:"document.location="; depth:18; content:".php?";
along with the PCRE in 21347 without the /U flag -- this will catch more
than just the "showthread.php" variant.

I assume file_data with depth:18 will match on equiv of content:"|0d 0a
0d 0a|document.location="; with no normalized buffer.  I appreciate any
corrections here if I'm wrong.

PS -- The PCRE in 21347 needs an escape on the period in ".php"... well
I guess it doesn't matter because of the content match, but I think you
intend one to be there.


More information about the Snort-sigs mailing list