[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

Joel Esler jesler at ...435...
Tue Mar 13 17:57:59 EDT 2012


Nathan, fixed up to:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)



On Tue, Mar 13, 2012 at 4:51 PM, Community Signatures
<lists at ...3397...>wrote:

> On 03/13/12 15:46, Joel Esler wrote:
> > Do you have a pcap for the first one?
>
> Absolutely, en-route to VRT.  I actually probably have more than a few
> but I'll just send the most recent one because I'm pressed for time at
> the moment.
>
> Thanks,
> Nathan
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/a0562c41/attachment.html>


More information about the Snort-sigs mailing list