Snort mailing list archives
Re: Suggested pcre addition to 1:6251
From: rmkml <rmkml () yahoo fr>
Date: Wed, 24 Nov 2010 22:06:46 +0100 (CET)
Hi, VRT have enhanced this rule to rev 7 on SEU 362 (25 aug 2010)... (with pcre and http_header and fast_pattern...) Regards Rmkml On Wed, 24 Nov 2010, Jason Wallace wrote:
Or maybe a user_agent: rule option that limits the search to the user-agent header? On Wed, Nov 24, 2010 at 2:31 PM, CunningPike <cunningpike () gmail com> wrote:Hi there, I get a lot of false positives on the following rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hotbar runtime detection - hostie user-agent"; flow:to_server,established; content:"User-Agent|3A| "; nocase; content:"hostie"; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips alert; reference:url,www.spywareguide.com/product_show.php?id=481; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474; classtype:misc-activity; sid:6251; rev:5;) from content like this: GET /2.5.1/js/CF_insight.min.js HTTP/1.1..Accept: */*..Referer: http://www.theweathernetwork.com/weather/cabc0308..Accept-Language: en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Connection: Keep-Alive..Host: scripthostie6.crowdfactory.com.... I'm wondering would the addition of the following pcre help keep the match within the User-Agent field: pcre:"/User-Agent:[^\x0D\x0A]*hostie.*/smi"; or would it allow for evasion of some kind. If this is a could idea, there are probably other UA-based sigs that could benefit from the same treatment. Thoughts? CP ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Suggested pcre addition to 1:6251 CunningPike (Nov 26)
- Re: Suggested pcre addition to 1:6251 Jason Wallace (Nov 26)
- Re: Suggested pcre addition to 1:6251 rmkml (Nov 26)
- Re: Suggested pcre addition to 1:6251 Jason Wallace (Nov 26)