[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit
jesler at ...435...
Tue Mar 13 20:55:05 EDT 2012
That's a pretty old version of PDF marking. It's almost worth it to sig
It's a negligible difference as far as performance goes in my testing.
It's more worth it, IMO, to ensure that the qwe123 is after the PDF content
match. At least it's in the file. I'll check again.
I'm also future proofing the rule for future enhancements to the Snort
engine. By doing what I did.
The flowbit check is also a future proof.
Thanks for the misspelling note.
On Tuesday, March 13, 2012, lists at ...3397... <lists at ...3397...>
> On 03/13/12 16:57, Joel Esler wrote:
>> Nathan, fixed up to:
>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
>> (msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
>> flow:to_client,established; flowbits:isset,file.pdf; file_data;
>> content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
>> balanced-ips drop, policy security-ips drop, service http;
>> classtype:trojan-activity; sid:21583; rev:1;)
> I strongly believe you need a fast_pattern on the "qwe123" string as it
> most likely to be globally unique as compared to "%PDF-1.6". Disagree?
> Also "malicioius" was misspelled so corrected but this would have been
> caught in QA so just pointing it out so it's not overlooked, not being
> I do agree looking for %PDF-1.6 even with the file.pdf flowbit check is
> don't recommend dropping this.
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS Blackhole malicious pdf detection - qwe123";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6"; content:"qwe123"; distance:0; fast_pattern;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> classtype:trojan-activity; sid:21583; rev:1;)
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs