[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

lists at ...3397... lists at ...3397...
Tue Mar 13 20:37:19 EDT 2012


On 03/13/12 16:57, Joel Esler wrote:
> Nathan, fixed up to:
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
> balanced-ips drop, policy security-ips drop, service http;
> classtype:trojan-activity; sid:21583; rev:1;)

I strongly believe you need a fast_pattern on the "qwe123" string as it is the
most likely to be globally unique as compared to "%PDF-1.6".  Disagree?

Also "malicioius" was misspelled so corrected but this would have been likely
caught in QA so just pointing it out so it's not overlooked, not being pedantic.

I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is wise, I
don't recommend dropping this.

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)

Thanks,
Nathan




More information about the Snort-sigs mailing list