In a nutshell, this filter detects an obfuscation technique in order to disguise the target of a link. In most cases, web sites either link to hostnames (http://www.example.com for example) or they link to IP addresses (http://127.0.0.1.) This is straight forward, and people nowadays expect to see one of the two formats.
However, by converting an IP address to a /number/ and then converting that number into hexadecimal format it is possible to create a link which looks completely different (which may fool humans and blacklist scripts alike.) For example, take the following link and put it into Internet Explorer or Firefox (does not work in Opera or Safari.) -> http://0x42b3d026
Cool huh? Now, the reason we are spotlighting on filter 5682 in particular, is because this falls into a gray area when it comes to blocking. In nearly every case we have seen, this technique is used by phishing sites and other malicious sites to obfuscate the targets of their links. However we have seen one or two quasi-legitimate sites using this as well. Because of this quasi-legitimate usage, we cannot ship this filter enabled by default. However, I'll go out on a limb and say that most TippingPoint customers could probably enable this filter without any problems.
So, to recap; It's possible to obfuscate IP addresses in an HTML link by converting it into hexadecimal. Attackers are using this technique in the wild. Filter 5682 blocks these attackers. However, a small minority of quasi legitimate sites also use this technique, so you must use caution when enabling this filter on your network.
And just to finish off, here is a screenshot of the ThreatLinQ graph for this filter. As I said, this is a rarely used technique, but it is being used, and it is best to protect yourself before it gets used on your network.
