Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proposed Signatures - Blackhole Exploit Kit

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 17:57:59 -0400
Nathan, fixed up to:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS Blackhole malicioius pdf detection - qwe123";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6"; content:"qwe123"; distance:0; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:21583; rev:1;)



On Tue, Mar 13, 2012 at 4:51 PM, Community Signatures
<lists () packetmail net>wrote:


On 03/13/12 15:46, Joel Esler wrote:

Do you have a pcap for the first one?


Absolutely, en-route to VRT.  I actually probably have more than a few
but I'll just send the most recent one because I'm pressed for time at
the moment.

Thanks,
Nathan





-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: