[Emerging-Sigs] Blackhole HCP sig

harry.tuttle harry.tuttle at zoho.com
Mon Oct 10 11:03:58 EDT 2011


I don't think it will really matter much either way.

I just started with 2013077 which also omits the leading /.

I'm good either way.

Regards,
Harry


---- On Sun, 09 Oct 2011 22:36:04 -0700 rmkml  wrote ---- 

>Thx you Harry, 
>Maybe missing a "" on pcre? like this: 
> pcre:"//pch2.php?c=d+$/U"; 
>Regards 
>Rmkml 
> 
> 
>On Sun, 9 Oct 2011, harry.tuttle wrote: 
> 
>> URI structure du jour. 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; 
>> content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=d+$/U"; classtype:bad-unknown; sid:nnnnnnn; rev:1;) 
>> Currently live example: 
>> hxxp://signal.paycheckinaction.com/content/pch2.php?c=9 
>> Serving up a Fake AV which in turn hits 2010382. 
>> Regards, 
>> Harry 
>



More information about the Emerging-sigs mailing list