Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

[Community Signatures <lists () packetmail net>]

On 03/13/12 10:43, Joel Esler wrote:
> So an additional rule may not add value.

Well, looking at these SIDs that fired they're not so much related to
the initial landing redirect (document.location) which I feel is as
important as the landing page itself.

The landing page and it's content can vary, however, I believe there to
be value in detection of the specific terse structure of the landing
redirect itself, in this case nothing more than a document.location
statement to the 16-byte hex Blackhole landing page on showthread.php
(VBulletin emulation anyone?)

I think there's still value in the proposed as there isn't any 1:1
overlap, just SIDs firing *after* landing.  Disagree?

The PCRE is missing an escape for period in "showthread.php" -- sadly
this still doesn't make it fire (argh).

Thanks,
Nathan


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!