Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Mar 2012 12:47:32 -0500
Correct me if I'm wrong, I'm on my phone right now, but I believe the additional content match just checked for the 
19th object header is that correct?

--
Joel Esler

On Mar 5, 2012, at 12:28 PM, Community Proposed <lists () packetmail net> wrote:


On Mon, 5 Mar 2012 10:48:41 -0500 Joel Esler <jesler () sourcefire com> wrote


Nathan, I changed our rule to this:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>";
fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
drop, service http; classtype:trojan-activity; sid:21417; rev:3;) 

It fires perfectly.  Thanks for the update.


Thank you Joel, if there are any false positive reports (I would be surprised
if there are) we can always go with the initial additional content byte-match
distance:0; against the %PDF header.

Thanks,
Nathan



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: