Snort mailing list archives
Re: Sig help (Tumblr redirect)
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 29 Jun 2012 11:31:43 -0600
-----Original Message----- From: Patrick Mullen [mailto:pmullen () sourcefire com] Sent: Friday, June 29, 2012 11:01 AM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Sig help (Tumblr redirect) James, While it wouldn't be comprehensive coverage, I don't see a reason why your rule wouldn't be a good way to catch a bunch of these spam messages if it's a common theme. Since you asked, there are two things I would do to improve the rule. One is a performance improvement, the other is a readability improvement. The readability improvement is that your content match is all ascii data so it's much easier to see what's going on if you use the actual ascii rather than the hex code in your rule. It gets loaded the same way into the rule engine so there is no performance difference for using either method. content:"='://e'|3b|" (Note I did still have to convert the semicolon to make the rules parser's life easier) The performance change is a huge boost by using fast_pattern:only on the content match. Doing so implies nocase but here it doesn't matter and you actually specify it in your rule. What this directive does is put the content match into the fast pattern matcher but removes it from the list of checks once evaluating the rule itself, effectively making it so the content match is only checked once. Note you can only do fast_pattern:only if case sensitivity is not important and the match is location independent meaning it is not relative to anything and nothing is relative to it. content:"='://e'|3b|"; fast_pattern:only; The resulting rule is the following -- alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Tumblr spam redirect"; flow:from_server; file_data; content:"='://e'|3b|"; fast_pattern:only; metadata:policy security-ips drop, service http; classtype:bad-unknown; sid:10000014; rev:1;) Hope this helps! Thanks, ~Patrick -- Patrick Mullen Research Manager Sourcefire VRT
Thanks a bunch Patrick...I initially tried all ascii at first, but couldn't get it to go...thanks to you now I understand that I need to hex the semicolon..ironically I'm just looking at my print out of the Snort manual and sure as the world it says what to escape on page 181...go me 8-|. And thanks for the expansion on fast_pattern..I'm still trying to wrap my head around it. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sig help (Tumblr redirect) Lay, James (Jun 29)
- Re: Sig help (Tumblr redirect) Patrick Mullen (Jun 29)
- Re: Sig help (Tumblr redirect) Lay, James (Jun 29)
- Re: Sig help (Tumblr redirect) Joel Esler (Jun 29)
- Re: Sig help (Tumblr redirect) Lay, James (Jun 29)
- Re: Sig help (Tumblr redirect) Patrick Mullen (Jun 29)