[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

lists at ...3397... lists at ...3397...
Tue Mar 13 21:13:23 EDT 2012

Thanks Joel for the reply, let me reply in line:

On 03/13/12 19:55, Joel Esler wrote:
> That's a pretty old version of PDF marking. It's almost worth it to sig
> that. ;)

You're right but I know from time to time the old legitimate floats around...

> It's a negligible difference as far as performance goes  in my testing.
> It's more worth it, IMO, to ensure that the qwe123 is after the PDF content
> match. At least it's in the file. I'll check again.

So help me understand this one if you don't mind and I appreciate your wisdom.
It's my understanding, with regard to fast_pattern at least (not
fast_pattern:only), that the content match and distance:0 modifiers are still

As I understand the rule evaluation to be with regard to
flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123";
distance:0; fast_pattern;

1) fast_pattern case-insensitive match against the file_data buffer for "qwe123"
2) content match check for "%PDF-1.6" against the file_data buffer.
3) content match check for "qwe123" against the file_data buffer relative to the
previous content match of "%PDF-1.6".
4) flowbit check for state of file.pdf

Is this execution path correct?  As I understand it the content modifiers like
within, distance, etc still apply to a content match which has been explicitly
set to fast_pattern (not fast_pattern:only).

Educate me if I'm wrong please.

> I'm also future proofing the rule for future enhancements to the Snort
> engine.  By doing what I did.

Can you elaborate more on this?


More information about the Snort-sigs mailing list