Snort mailing list archives
Re: Quick rule question
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 19 Oct 2012 09:34:41 -0600
On 2012-10-19 09:29, Joel Esler wrote:
On Oct 19, 2012, at 11:23 AM, James Lay <jlay () slave-tothe-box net> wrote:On 2012-10-19 08:39, Joel Esler wrote:content:".htm"; content:"|22|"; distance:0; within:2; pcre:"/\/html?\x22/"; Something like that? Is that what you are trying to do? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Oct 19, 2012, at 10:24 AM, James Lay <jlay () slave-tothe-box net> wrote:Hey all, Quick question...trying to match: .htm" OR .html" my content can be htm and that's fine, but I need to make sure to have the end quote at the end. Thanks all. JamesThanks Joel and Mike, I'm trying to modify this rule to catch both .html" and .htm" as I've seen some changes: alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS Blackhole exploit kit possible email Landing"; flow:to_server,established; content:"href=|22|http|3a 2f 2f|"; content:"/index.html|22|"; distance:0; within:50; pcre:"/\x2f[a-z0-9]{6,8}\x2findex\.html\x22/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10000018; rev:4;)We've seen some real positive results in the field with that rule (sid: 24171). We get a FP every once in awhile, but for the most part, it's doing a great job. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
Thanks Joel...maybe I'll just change the other one to specifically look for .htm#...I'll let you know if I get results..thanks again. James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick rule question James Lay (Oct 19)
- Re: Quick rule question Joel Esler (Oct 19)
- Re: Quick rule question James Lay (Oct 19)
- Re: Quick rule question Joel Esler (Oct 19)
- Re: Quick rule question James Lay (Oct 19)
- Re: Quick rule question James Lay (Oct 19)
- Re: Quick rule question Joel Esler (Oct 19)
- Re: Quick rule question Mike Cox (Oct 19)
- Re: Quick rule question Mike Cox (Oct 19)