[Emerging-Sigs] [PHI] [Domain Keys] Blackhole served via Yahoo

Nathan nathan at packetmail.net
Mon Dec 17 09:11:04 HAST 2012


On Mon, 17 Dec 2012 12:57:57 -0600 Martin Holste <mcholste at gmail.com> wrote

> ...  Is anyone else seeing hits for these?

SELECT distinct url,dest_ip FROM webwasher_full where day>='2012-12-01' and
http_status <> '407' and dest_ip rlike '98\\.139\\.135\\.2[1-2]' and url like
'%.jar%'

SELECT distinct url,dest_ip FROM webwasher_full where day>='2012-12-01' and
http_status <> '407' and lower(url) like '%/java.jar%'

Nada.  Can you share a specific URL?

Also, sig has a "nocase;" on fast_pattern:only

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server;
content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:" Java/1";
http_header; classtype:trojan-activity; sid:2015487; rev:7;)




More information about the Emerging-sigs mailing list