Snort mailing list archives
Re: question regarding distance 0 modifier
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 18 Jul 2014 13:53:48 +0000
On Jul 17, 2014, at 7:56 PM, James Dickenson <jdickenson () gmail com<mailto:jdickenson () gmail com>> wrote: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound connection"; flow:to_server,established; content:"/search"; http_uri; content:"?h1="; distance:0; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri; content:"&h4="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; http_header; pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/<http://www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/>; classtype:trojan-activity; sid:21240; rev:7;) Let me display our rule like this, might make it easier: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( \ msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound connection"; \ flow:to_server,established; \ content:"/search"; http_uri; \ content:"?h1="; distance:0; http_uri; \ # This means that the h1 match must take place after the “/search match in the previous line. No restrictions on where, just after. content:"&h2="; distance:0; http_uri; \ # This means that the h2 match must take place after the “h1” match in the previous line. No restrictions on where, just after. content:"&h3="; distance:0; http_uri; \ # This means that the h3 match must take place after the “h2” match in the previous line. No restrictions on where, just after. content:"&h4="; distance:0; http_uri; \ # This means that the h4 match must take place after the “h3” match in the previous line. No restrictions on where, just after. content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; http_header; \ pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; \ #the two above matches are in the “http_header” buffer (completely different buffer, so no distance matches there) metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; \ reference:url,www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/<http://www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/>; \ classtype:trojan-activity; \ ) You’ll notice all the “h{1-4}” matches are in the http_uri buffer. So you can perform relative checks on the matches in the same buffer. Does that help? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question regarding distance 0 modifier James Dickenson (Jul 17)
- Re: question regarding distance 0 modifier Joel Esler (jesler) (Jul 18)
- Re: question regarding distance 0 modifier James Dickenson (Jul 18)
- Re: question regarding distance 0 modifier Joel Esler (jesler) (Jul 18)