[Emerging-Sigs] Blackhole HCP sig
wkitty42 at windstream.net
Mon Oct 10 12:15:33 EDT 2011
On 10/10/2011 11:03, harry.tuttle wrote:
> I don't think it will really matter much either way.
> I just started with 2013077 which also omits the leading /.
> I'm good either way.
> ---- On Sun, 09 Oct 2011 22:36:04 -0700 rmkml wrote ----
>> Thx you Harry,
>> Maybe missing a "" on pcre? like this:
very interesting... something ate the escape backslashes in the above quote... i
have to wonder if things like this happen very often and lead to problems such
as miscommunication, logic flaws, and simply broken code :?
the question now is where was the character removed? i saw it in the original
post when reading it... but not in the above when reading it...
>> On Sun, 9 Oct 2011, harry.tuttle wrote:
>>> URI structure du jour.
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server;
>>> content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=d+$/U"; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
>>> Currently live example:
>>> Serving up a Fake AV which in turn hits 2010382.
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Emerging-sigs