[Emerging-Sigs] worth writing a signature?
Jack Pepper
pepperjack at afferentsecurity.com
Thu Jul 3 15:19:17 EDT 2008
Quoting Marcus <marc at unsober.org>:
> I've run into some samples with content-type as javascript but it
> downloads an executable. Would it be
> worth writing a signature to catch content:"|0d 0a|MZ" and
> content:"Content-Type\: application/x-javascript"? I can't imagine a
> legitimate use for this, so FP's should be limited.
I think it's worth doing. The way I decide if it's worth doing is if
I can envision an action plan for the rule. In the case you describe,
we can tell the help desk that a workstation might have downloaded
malware, and we can tell the security analysts to go see what gets
downloaded from that script. so based on my criteria, it would be a
useful rule.
If it's not actionable, I generally don't bother.
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list