Snort mailing list archives
Re: Snort-sigs Digest, Vol 85, Issue 22
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 26 Jun 2013 22:54:11 -0400
Doesn't really matter in this case. But it's even more irrelevant since you used fast_pattern:only -- Joel Esler Sent from my iPad On Jun 26, 2013, at 6:50 PM, James Lay <jlay () slave-tothe-box net> wrote:
On 2013-06-26 16:11, John Cal wrote:On Wed, Jun 26, 2013 at 2:28 PM, <snort-sigs-request () lists sourceforge net [2]> wrote:Yippee alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC W32.Trojan.PinkStats outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|"; fast_pattern:only; http_header; content:"/count.asp?mac="; http_uri; content:"&ver="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http;reference:url,http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html[1]; classtype:trojan-activity; sid:10000083; rev:1;) Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania JamesJames, are there any benefits to having your rule match the URI content before the UA content? I might need to read some additional material to understand the order on how a signature is read by Snort, but the correct flow would have the URI before the UA header, correct?I think that would normally be the case, but I'm thinking the fast_pattern checks to see if the UA is "Google page" first, then goes on with the rest of the check. fast_pattern still confuses me too...what say you group, is that good reasoning for the UA to be checked before the URI? James ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-sigs Digest, Vol 85, Issue 22 John Cal (Jun 26)
- Re: Snort-sigs Digest, Vol 85, Issue 22 James Lay (Jun 26)
- Re: Snort-sigs Digest, Vol 85, Issue 22 Joel Esler (Jun 26)
- Re: Snort-sigs Digest, Vol 85, Issue 22 James Lay (Jun 26)