Snort mailing list archives
Re: flowbits check needed?
From: rmkml <rmkml () yahoo fr>
Date: Sat, 15 Feb 2014 22:37:44 +0100 (CET)
Thx you YM for sharing, Well not easy to understand if you need (java) flowbits or not, I think not because Java User-Agent are on same than URI. warn: pcre miss '/' after first escape '\'. Could you have pcap please ? Maybe add urilen:17. Remove {1} on pcre because \d is not more repeat. warn2: http_uri are not nocase, but pcre yes (i): why ? Another similar sig already exist:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2;)
Regards @Rmkml On Sat, 15 Feb 2014, Y M wrote:
I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts? alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:1;) YM
------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- flowbits check needed? Y M (Feb 15)
- Re: flowbits check needed? rmkml (Feb 15)
- Re: flowbits check needed? Y M (Feb 15)
- Re: flowbits check needed? Joel Esler (jesler) (Feb 16)
- Re: flowbits check needed? Y M (Feb 16)
- Re: flowbits check needed? Y M (Feb 15)
- Re: flowbits check needed? rmkml (Feb 15)