![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Proposed update to 1:28039
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 22 Dec 2014 15:41:21 +0000
On Dec 19, 2014, at 11:06 PM, Jeremy Hoel <jthoel () gmail com<mailto:jthoel () gmail com>> wrote: This was discussed this time last year and the answer was that since u.pw<http://u.pw/> is still a pw domain, you should modify the rule locally to negate it. It makes sense since allowing that domain is still going to be a matter of policy for where snort is running at. It's pretty easy to do a modify aid to add the !content match and update the rule for you. On Dec 19, 2014 1:12 PM, "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>> wrote: Since Upworthy purchased u.pw<http://u.pw/> (http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/), should we update INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039) to add the following: content:!"|01 75 02 70 77 00|"; offset:12; depth:6; Cheers, Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) I’ve just updated the rule to negate u.pw<http://u.pw>. This rule should ship soon. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 19)
- Re: Proposed update to 1:28039 Jeremy Hoel (Dec 19)
- Re: Proposed update to 1:28039 Joel Esler (jesler) (Dec 22)
- Re: Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 22)
- Re: Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 22)
- Re: Proposed update to 1:28039 Joel Esler (jesler) (Dec 22)
- Re: Proposed update to 1:28039 Jeremy Hoel (Dec 19)