[Emerging-Sigs] Blackhole HCP sig
harry.tuttle at zoho.com
Mon Oct 10 11:03:58 EDT 2011
I don't think it will really matter much either way.
I just started with 2013077 which also omits the leading /.
I'm good either way.
---- On Sun, 09 Oct 2011 22:36:04 -0700 rmkml wrote ----
>Thx you Harry,
>Maybe missing a "" on pcre? like this:
>On Sun, 9 Oct 2011, harry.tuttle wrote:
>> URI structure du jour.
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server;
>> content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=d+$/U"; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
>> Currently live example:
>> Serving up a Fake AV which in turn hits 2010382.
More information about the Emerging-sigs