[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

Joel Esler jesler at ...435...
Tue Mar 13 12:39:02 EDT 2012


On Tue, Mar 13, 2012 at 12:20 PM, Community Signatures
<lists at ...3397...> wrote:
>
> On 03/13/12 11:03, Joel Esler wrote:
> > Well, we have a rule that fires on that initially..
> >
> > 21347
> >
> > But it's set to noalert as we think it'll be FP prone.
> >
> > Thoughts?
>
> Ouch I completely missed that one, it's new and wasn't in my tarball.
> Yes, it will false-positive I had tried something similar and the URI
> structures in a few sites, especially video sites, cause it to false.
> It is worth setting a flowbit though.
>
> I'm open to your opinion, I do think there to be value in detection of a
> terse/basic 'document.location' redirect.  Perhaps something like with
> the direction $EXTERNAL_NET -> $HOME_NET:
>
> file_data; content:"document.location="; depth:18; content:".php?";
> along with the PCRE in 21347 without the /U flag -- this will catch more
> than just the "showthread.php" variant.
>

I actually modified 21492 a bit that will catch all these recent
variants.  Running it through QA now.

>
> I assume file_data with depth:18 will match on equiv of content:"|0d 0a
> 0d 0a|document.location="; with no normalized buffer.  I appreciate any
> corrections here if I'm wrong.
>
> PS -- The PCRE in 21347 needs an escape on the period in ".php"... well
> I guess it doesn't matter because of the content match, but I think you
> intend one to be there.
>
> Thanks,
> Nathan




--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




More information about the Snort-sigs mailing list