[Emerging-Sigs] worth writing a signature?
Matt Jonkman
jonkman at jonkmans.com
Thu Jul 3 15:33:15 EDT 2008
I think that's an excellent criteria for value in a sig.
I just posted a version. Can you all test it out please?
thanks
Matt
Jack Pepper wrote:
> Quoting Marcus <marc at unsober.org>:
>
>> I've run into some samples with content-type as javascript but it
>> downloads an executable. Would it be
>> worth writing a signature to catch content:"|0d 0a|MZ" and
>> content:"Content-Type\: application/x-javascript"? I can't imagine a
>> legitimate use for this, so FP's should be limited.
>
> I think it's worth doing. The way I decide if it's worth doing is if
> I can envision an action plan for the rule. In the case you describe,
> we can tell the help desk that a workstation might have downloaded
> malware, and we can tell the security analysts to go see what gets
> downloaded from that script. so based on my criteria, it would be a
> useful rule.
>
> If it's not actionable, I generally don't bother.
>
> jp
>
>
>
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list