Snort mailing list archives
Re: Rule message change 27875
From: Y M <snort () outlook com>
Date: Mon, 13 Jan 2014 19:47:01 +0000
The rule is still relevant though in the context of the exploit kit as it has been observed in a very recent case. From: jesler () cisco com To: joseph.cooper () RACKSPACE COM Date: Wed, 8 Jan 2014 20:55:45 +0000 CC: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Rule message change 27875 On Jan 8, 2014, at 2:22 PM, Joseph Cooper <joseph.cooper () RACKSPACE COM> wrote: I was wanting your opinions and checking to see if we could get the msg for this rule changed. The rule doesn’t actually look for DotCachef itself, but for JJEncoding, which a lot of software and ad sites are starting to use. Having the rule message state it is an Exploit-Kit has caused fellow analysts to continuously look for what is not there, and I feel a change would be beneficiary to all. Let me know what you think J alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27875; rev:1; ) Sounds good, I’ll adjust it to something more appropriate. ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule message change 27875 Joseph Cooper (Jan 08)
- Re: Rule message change 27875 Joel Esler (jesler) (Jan 08)
- Re: Rule message change 27875 Y M (Jan 13)
- Re: Rule message change 27875 Joel Esler (jesler) (Jan 08)