Snort mailing list archives
Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 31 Mar 2012 11:37:45 -0400
http://blog.snort.org/2012/01/portvar-lookup-failed-on-filedataports.html -- Joel Esler On Mar 30, 2012, at 11:16 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 3/30/2012 08:25, Joel Esler wrote:I made many announcements. Both on the list and on the blog. In fact, I titled the blog post the exact error, so if people will Google the error it will come right up. It's on the blog at blog.snort.orgi thought that you had... but when i checked, i couldn't find anything so i wrote my message... i definitely remember some traffic about it but :? thanks again!-- Joel Esler On Mar 30, 2012, at 12:20 AM, waldo kitty<wkitty42 () windstream net> wrote:On 3/5/2012 10:48, Joel Esler wrote:Nathan, I changed our rule to this: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;) It fires perfectly. Thanks for the update.hey joel, wasn't there a blog announcement about FILE_DATA_PORTS? i've numerous folk contacting me about IDS failures concerning this change and i'm unable to find where to point them for the changes they need to make :(
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Community Proposed (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 29)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 31)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Dave Venman (Mar 31)