[Emerging-Sigs] Blackhole HCP sig

waldo kitty wkitty42 at windstream.net
Mon Oct 10 12:15:33 EDT 2011


On 10/10/2011 11:03, harry.tuttle wrote:
> I don't think it will really matter much either way.
>
> I just started with 2013077 which also omits the leading /.
>
> I'm good either way.
>
> Regards,
> Harry
>
>
> ---- On Sun, 09 Oct 2011 22:36:04 -0700 rmkml  wrote ----
>
>> Thx you Harry,
>> Maybe missing a "" on pcre? like this:
>> pcre:"//pch2.php?c=d+$/U";
>> Regards
>> Rmkml

very interesting... something ate the escape backslashes in the above quote... i 
have to wonder if things like this happen very often and lead to problems such 
as miscommunication, logic flaws, and simply broken code :?

the question now is where was the character removed? i saw it in the original 
post when reading it... but not in the above when reading it...

>>
>>
>> On Sun, 9 Oct 2011, harry.tuttle wrote:
>>
>>> URI structure du jour.
>>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server;
>>> content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=d+$/U"; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
>>> Currently live example:
>>> hxxp://signal.paycheckinaction.com/content/pch2.php?c=9
>>> Serving up a Fake AV which in turn hits 2010382.
>>> Regards,
>>> Harry
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>



More information about the Emerging-sigs mailing list