[Emerging-Sigs] [SURBL] Re: Proposed Signature for hostile 302 'gift.exe'

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 19 11:36:15 EDT 2011


Posting then, thank you sir!

I wish we had a classtype titled "Oh come on… you could at least try not to be obvious"

Like the /bot.php checkin urls. Love those. :)

Matt



On Oct 19, 2011, at 10:13 AM, Nathan wrote:

>> How about we just go with a suspicious download request for gift.exe? Not
> all that many places where that'd happen naturally?
> 
>> Then we know if the browser followed and requested the exe, vs just an
> attempt. I'd hope safebrowsing or some other protection might prevent it, and
> thus we'd not have an event if so.
> 
> Works for me sir.  Never look a gift.exe in the MZ header.
> 
> Thanks,
> Nathan
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list