[Emerging-Sigs] Blackhole HCP sig

rmkml rmkml at free.fr
Mon Oct 10 01:36:04 EDT 2011


Thx you Harry,
Maybe missing a "\" on pcre? like this:
  pcre:"/\/pch2.php?c=\d+$/U";
Regards
Rmkml


On Sun, 9 Oct 2011, harry.tuttle wrote:

> URI structure du jour.
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server;
>  content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=d+$/U"; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
> Currently live example:
> hxxp://signal.paycheckinaction.com/content/pch2.php?c=9
> Serving up a Fake AV which in turn hits 2010382.
> Regards,
> Harry


More information about the Emerging-sigs mailing list