Re: Proposed update to 1:28039

["Joel Esler (jesler)" <jesler () cisco com>]

On Dec 19, 2014, at 11:06 PM, Jeremy Hoel <jthoel () gmail com<mailto:jthoel () gmail com>> wrote:


This was discussed this time last year and the answer was that since u.pw<http://u.pw/> is still a pw domain, you 
should modify the rule locally to negate it.  It makes sense since allowing that domain is still going to be a matter 
of policy for where snort is running at.  It's pretty easy to do a modify aid to add the !content match and update the 
rule for you.

On Dec 19, 2014 1:12 PM, "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>> wrote:
Since Upworthy purchased u.pw<http://u.pw/> 
(http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/), should we update INDICATOR-COMPROMISE 
Suspicious .pw dns query (1:28039) to add the following:

content:!"|01 75 02 70 77 00|"; offset:12; depth:6;

Cheers,

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)



I’ve just updated the rule to negate u.pw<http://u.pw>.  This rule should ship soon.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!