Re: Sig help (Tumblr redirect)

["Lay, James" <james.lay () wincofoods com>]

> -----Original Message-----
> From: Patrick Mullen [mailto:pmullen () sourcefire com]
> Sent: Friday, June 29, 2012 11:01 AM
> To: Lay, James
> Cc: snort-sigs () lists sourceforge net
> Subject: Re: [Snort-sigs] Sig help (Tumblr redirect)
>
> James,
>
> While it wouldn't be comprehensive coverage, I don't see a reason why
> your rule wouldn't be a good way to catch a bunch of these spam
> messages if it's a common theme.
>
> Since you asked, there are two things I would do to improve the rule.
> One is a performance improvement, the other is a readability
> improvement.
>
> The readability improvement is that your content match is all ascii
> data so it's much easier to see what's going on if you use the actual
> ascii rather than the hex code in your rule.  It gets loaded the same
> way into the rule engine so there is no performance difference for
> using either method.
>
> content:"='://e'|3b|"  (Note I did still have to convert the semicolon
> to make the rules parser's life easier)
>
> The performance change is a huge boost by using fast_pattern:only on
> the content match.  Doing so implies nocase but here it doesn't matter
> and you actually specify it in your rule.  What this directive does is
> put the content match into the fast pattern matcher but removes it
> from the list of checks once evaluating the rule itself, effectively
> making it so the content match is only checked once.  Note you can
> only do fast_pattern:only if case sensitivity is not important and the
> match is location independent meaning it is not relative to anything
> and nothing is relative to it.
>
> content:"='://e'|3b|"; fast_pattern:only;
>
> The resulting rule is the following --
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Tumblr spam redirect"; flow:from_server; file_data;
> content:"='://e'|3b|"; fast_pattern:only; metadata:policy security-ips
> drop, service http; classtype:bad-unknown; sid:10000014; rev:1;)
>
> Hope this helps!
>
>
> Thanks,
>
> ~Patrick
>
> --
> Patrick Mullen
> Research Manager
> Sourcefire VRT

Thanks a bunch Patrick...I initially tried all ascii at first, but
couldn't get it to go...thanks to you now I understand that I need to
hex the semicolon..ironically I'm just looking at my print out of the
Snort manual and sure as the world it says what to escape on page
181...go me 8-|.  And thanks for the expansion on fast_pattern..I'm
still trying to wrap my head around it.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!