[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

Joel Esler jesler at ...435...
Tue Mar 13 20:55:05 EDT 2012


That's a pretty old version of PDF marking. It's almost worth it to sig
that. ;)

It's a negligible difference as far as performance goes  in my testing.
It's more worth it, IMO, to ensure that the qwe123 is after the PDF content
match. At least it's in the file. I'll check again.

I'm also future proofing the rule for future enhancements to the Snort
engine.  By doing what I did.

The flowbit check is also a future proof.

Thanks for the misspelling note.

On Tuesday, March 13, 2012, lists at ...3397... <lists at ...3397...>
wrote:
> On 03/13/12 16:57, Joel Esler wrote:
>> Nathan, fixed up to:
>>
>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
>> (msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
>> flow:to_client,established; flowbits:isset,file.pdf; file_data;
>> content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> classtype:trojan-activity; sid:21583; rev:1;)
>
> I strongly believe you need a fast_pattern on the "qwe123" string as it
is the
> most likely to be globally unique as compared to "%PDF-1.6".  Disagree?
>
> Also "malicioius" was misspelled so corrected but this would have been
likely
> caught in QA so just pointing it out so it's not overlooked, not being
pedantic.
>
> I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is
wise, I
> don't recommend dropping this.
>
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> classtype:trojan-activity; sid:21583; rev:1;)
>
> Thanks,
> Nathan
>

-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/50615e56/attachment.html>


More information about the Snort-sigs mailing list