Snort mailing list archives
Re: Possible Rule Change
From: Y M <snort () outlook com>
Date: Thu, 29 Jan 2015 20:12:07 +0000
Hello Eric, Can you provide sample data/pcaps? Another question that may be difficult to pinpoint the answer for, but can you correlate the date period when the pattern has changed? Thanks On Thu, Jan 29, 2015 at 11:56 AM -0800, "eric gonzalez" <eric.y.gonzalez () gmail com> wrote: Hello, I was wondering if I could suggest changing the regex within the rule MALWARE-CNC Win.Trojan.Asprox outbound connection attempt. You currently have it listed as /\x2fx\x2f[0-9a-z]{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/U. That is catching good activity however, we ran the following against all of our data and found that we are getting more matches on the following regex rule: \/[a-z]{1,2}\/[a-z0-9]{8,10}\/[a-z0-9]{30,35}\/AA\/[0-9]$ With the regex in the rule we are matching on 110/357 attempts related to this activity. With the latter one we are matching on the full 357 logs containing hits for Asprox like URLs. Regards, Eric
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible Rule Change eric gonzalez (Jan 29)
- Re: Possible Rule Change Y M (Jan 29)