[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

Joel Esler jesler at ...435...
Tue Mar 13 17:57:59 EDT 2012

Nathan, fixed up to:

(msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)

On Tue, Mar 13, 2012 at 4:51 PM, Community Signatures
<lists at ...3397...>wrote:

> On 03/13/12 15:46, Joel Esler wrote:
> > Do you have a pcap for the first one?
> Absolutely, en-route to VRT.  I actually probably have more than a few
> but I'll just send the most recent one because I'm pressed for time at
> the moment.
> Thanks,
> Nathan

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/a0562c41/attachment.html>

More information about the Snort-sigs mailing list