[Snort-sigs] Proposed Signatures - Blackhole Exploit Kit
jesler at ...435...
Tue Mar 13 21:57:43 EDT 2012
On Tue, Mar 13, 2012 at 9:13 PM, lists at ...3397...
<lists at ...3397...>wrote:
> Thanks Joel for the reply, let me reply in line:
> On 03/13/12 19:55, Joel Esler wrote:
> > That's a pretty old version of PDF marking. It's almost worth it to sig
> > that. ;)
> You're right but I know from time to time the old legitimate floats
> > It's a negligible difference as far as performance goes in my testing.
> > It's more worth it, IMO, to ensure that the qwe123 is after the PDF
> > match. At least it's in the file. I'll check again.
> So help me understand this one if you don't mind and I appreciate your
> It's my understanding, with regard to fast_pattern at least (not
> fast_pattern:only), that the content match and distance:0 modifiers are
> Yes, they do. I tested it again, and I was right. The PDF check is
faster than the qwe123 check by a factor of about 4. (If you fast pattern
the qwe123 instead of the PDF it takes 4 times as long to evaluate)
> As I understand the rule evaluation to be with regard to
> flowbits:isset,file.pdf; file_data; content:"%PDF-1.6"; content:"qwe123";
> distance:0; fast_pattern;
> 1) fast_pattern case-insensitive match against the file_data buffer for
> 2) content match check for "%PDF-1.6" against the file_data buffer.
> 3) content match check for "qwe123" against the file_data buffer relative
> to the
> previous content match of "%PDF-1.6".
> 4) flowbit check for state of file.pdf
Actually, #4 should be #2. Since the rule options are read left to right
after the header. (Header is read last.)
> Is this execution path correct? As I understand it the content modifiers
> within, distance, etc still apply to a content match which has been
> set to fast_pattern (not fast_pattern:only).
Correct. fast_pattern is not case insensitive though. fast_pattern:only,
> > I'm also future proofing the rule for future enhancements to the Snort
> > engine. By doing what I did.
> Can you elaborate more on this?
Not yet. As I said in my blog post, 2012 is going to be a big year for
Snort. I'll announce things when we are ready to do so. I don't like to
put things out until we have something solid. I don't like to over promise
and under deliver.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs