[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit

Joel Esler jesler at ...435...
Tue Mar 13 21:57:43 EDT 2012

On Tue, Mar 13, 2012 at 9:13 PM, lists at ...3397...
<lists at ...3397...>wrote:

> Thanks Joel for the reply, let me reply in line:
> On 03/13/12 19:55, Joel Esler wrote:
> > That's a pretty old version of PDF marking. It's almost worth it to sig
> > that. ;)
> You're right but I know from time to time the old legitimate floats
> around...
> > It's a negligible difference as far as performance goes  in my testing.
> > It's more worth it, IMO, to ensure that the qwe123 is after the PDF
> content
> > match. At least it's in the file. I'll check again.
> So help me understand this one if you don't mind and I appreciate your
> wisdom.
> It's my understanding, with regard to fast_pattern at least (not
> fast_pattern:only), that the content match and distance:0 modifiers are
> still
> applied.
> Yes, they do.  I tested it again, and I was right.  The PDF check is
faster than the qwe123 check by a factor of about 4.  (If you fast pattern
the qwe123 instead of the PDF it takes 4 times as long to evaluate)

> As I understand the rule evaluation to be with regard to
> flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123";
> distance:0; fast_pattern;
> 1) fast_pattern case-insensitive match against the file_data buffer for
> "qwe123"
> 2) content match check for "%PDF-1.6" against the file_data buffer.
> 3) content match check for "qwe123" against the file_data buffer relative
> to the
> previous content match of "%PDF-1.6".
> 4) flowbit check for state of file.pdf

Actually, #4 should be #2.  Since the rule options are read left to right
after the header.  (Header is read last.)

> Is this execution path correct?  As I understand it the content modifiers
> like
> within, distance, etc still apply to a content match which has been
> explicitly
> set to fast_pattern (not fast_pattern:only).

Correct.  fast_pattern is not case insensitive though.  fast_pattern:only,
however, is.

> <snip>
> > I'm also future proofing the rule for future enhancements to the Snort
> > engine.  By doing what I did.
> Can you elaborate more on this?
Not yet.  As I said in my blog post, 2012 is going to be a big year for
Snort.  I'll announce things when we are ready to do so.  I don't like to
put things out until we have something solid.  I don't like to over promise
and under deliver.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/171bb9b6/attachment.html>

More information about the Snort-sigs mailing list