Snort mailing list archives
Re: Are these rules from community.rules redundant?
From: Patrick Mullen <pmullen () sourcefire com>
Date: Tue, 23 Jun 2015 10:39:09 -0400
Tyler, It was just a redundant rule. We'll update the ruleset. Thanks for the catch! ~Patrick On Mon, Jun 22, 2015 at 12:02 PM, Tyler Smith <tyler.smith () adventiumlabs com
wrote:
Is this an error in community.rules, or is the redundancy intentional? -Tyler On Jun 22, 2015, at 10:57 AM, Nick Randolph <drandolph () sourcefire com> wrote: Yes, in addition to sid:27628. On 06/22/2015 11:03 AM, Tyler Smith wrote: I was doing an evaluation of the community.rules made available on the Snort web page <https://www.snort.org/downloads/#rule-downloads>, and noticed these two rules: Rule @ line 2643: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; refere nce:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:27625; rev:2;) Rule @ line 2644: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ftp.documents.myPicture.info <ftp://ftp.documents.mypicture.info>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:27626; rev:2;) Doesn't the content option in the first rule ( |09|documents|09|myPicture|04|info|00|) make the 2nd rule redundant? That is, the 1st rule will always trigger if the 2nd rule does because its content option is a substring of the 2nd's content option ( |03|ftp|09|documents|09|myPicture|04|info|00|) Thanks, Tyler ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download nowhttp://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Snort-sigs mailing listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Patrick Mullen Response Research Manager Sourcefire VRT
------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Are these rules from community.rules redundant? Tyler Smith (Jun 22)
- Re: Are these rules from community.rules redundant? Nick Randolph (Jun 22)
- Re: Are these rules from community.rules redundant? Tyler Smith (Jun 22)
- Re: Are these rules from community.rules redundant? Patrick Mullen (Jun 23)
- Re: Are these rules from community.rules redundant? Tyler Smith (Jun 22)
- Re: Are these rules from community.rules redundant? Nick Randolph (Jun 22)