Snort mailing list archives
Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 30 Mar 2012 08:25:12 -0400
I made many announcements. Both on the list and on the blog. In fact, I titled the blog post the exact error, so if people will Google the error it will come right up. It's on the blog at blog.snort.org -- Joel Esler On Mar 30, 2012, at 12:20 AM, waldo kitty <wkitty42 () windstream net> wrote:
On 3/5/2012 10:48, Joel Esler wrote:Nathan, I changed our rule to this: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;) It fires perfectly. Thanks for the update.hey joel, wasn't there a blog announcement about FILE_DATA_PORTS? i've numerous folk contacting me about IDS failures concerning this change and i'm unable to find where to point them for the changes they need to make :( ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Community Proposed (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 29)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 31)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Dave Venman (Mar 31)