Snort mailing list archives

Re: Sid 21858

From: Oscar A <o_ama_lo () hotmail com>
Date: Wed, 15 Oct 2014 16:57:45 -0500


Hi, this is the .pcap
Regards!
From: o_ama_lo () hotmail com
To: jesler () cisco com
Subject: RE: [Snort-sigs] Sid 21858
Date: Wed, 15 Oct 2014 15:35:04 -0500




Thanks very much, I have the pcap

From: jesler () cisco com
To: o_ama_lo () hotmail com
CC: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Sid 21858
Date: Wed, 15 Oct 2014 20:09:13 +0000

since the second content match is a “fast_pattern:only”, it’s case insensitive.  So uppercase, lowercase, doesn’t 
matter.
This would be a lot easier if you could send a pcap for us to look at.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
On Oct 15, 2014, at 2:23 PM, Oscar A <o_ama_lo () hotmail com> wrote:Hi, can somebody help me please, I find only exact 
matches for the first content

content:"|FF|SMB|A2 00 00 00 00|"; 

But for the second content only match the first 2 hexadecimal values

content:"m|00|s|00|i|00|e|00|x|00|e|00|c|00|.|00|e|00|x|00|e|00 00 00|"

It is not supouse that all content matches must be true for the rule to trigger an event, that is, each content match 
has
an AND relationship with the others? So why drop events are triggering only when the first content is matched?

Im having this match 4d 00 53 00 49 00 45 00 58 00 45 00 43 00 2E 00 45 00 58 00 45 (00 22 00) but the m s i e x e c . 
e x e are in upper case and the last three 00 00 00 between parentesis are not maching

Regards!
------------------------------------------------------------------------------Comprehensive Server Monitoring with 
Site24x7.Monitor 10 servers for $9/Month.Get alerted through email, SMS, voice calls or mobile push notifications.Take 
corrective actions from your mobile 
device.http://p.sf.net/sfu/Zoho_______________________________________________Snort-sigs mailing 
listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.orgPlease 
visit http://blog.snort.org for the latest news about Snort!

Attachment: request_1413385474.rar
Description:

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Sid 21858 Oscar A (Oct 15)
- Re: Sid 21858 Joel Esler (jesler) (Oct 15)
  - Message not available
    - Re: Sid 21858 Oscar A (Oct 15)