Snort mailing list archives
Re: [Emerging-Sigs] Rule assist
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 25 Jun 2013 12:23:03 -0600
On Jun 25, 2013, at 11:51 AM, Will Metcalf <wmetcalf () emergingthreatspro com> wrote:
Just as an FYI all of my hits on these eventually lead to smoke loader and it's associated sigs firing. Regards, Will
Hey thanks Will…maybe I'll call it Initial Smoke Loader redirect or something more exciting than "Unknown". James
On Tue, Jun 25, 2013 at 12:22 PM, James Lay <jlay () slave-tothe-box net> wrote: On 2013-06-25 11:10, Joel Esler wrote: content:"GET /?1 HTTP/1.1"; fast_pattern:only; is your best bet. You could break it out like this if you want: urilen:3; content:"GET"; http_method; content:"/?1"; http_uri; content:"HTTP/1.1"; "HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the problem? -- JOEL ESLER Senior Research Engineer, VRT OpenSource Community Manager Sourcefire Thanks Joel and Will...here's the full rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISED Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:10000082; rev:1;) Going to run this in production and see how it flies. James _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Joel Esler (Jun 25)
- Re: [Emerging-Sigs] Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Will Metcalf (Jun 25)
- Re: [Emerging-Sigs] Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Joel Esler (Jun 25)
- Re: [Emerging-Sigs] Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Joel Esler (Jun 25)
- Re: [Emerging-Sigs] Rule assist Will Metcalf (Jun 25)