Snort mailing list archives
Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Mar 2012 12:47:32 -0500
Correct me if I'm wrong, I'm on my phone right now, but I believe the additional content match just checked for the 19th object header is that correct? -- Joel Esler On Mar 5, 2012, at 12:28 PM, Community Proposed <lists () packetmail net> wrote:
On Mon, 5 Mar 2012 10:48:41 -0500 Joel Esler <jesler () sourcefire com> wroteNathan, I changed our rule to this: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;) It fires perfectly. Thanks for the update.Thank you Joel, if there are any false positive reports (I would be surprised if there are) we can always go with the initial additional content byte-match distance:0; against the %PDF header. Thanks, Nathan
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Community Proposed (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Community Proposed (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 29)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 31)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Dave Venman (Mar 31)