Snort mailing list archives
Re: [Emerging-Sigs] Rule assist
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Tue, 25 Jun 2013 12:51:39 -0500
Just as an FYI all of my hits on these eventually lead to smoke loader and it's associated sigs firing. Regards, Will On Tue, Jun 25, 2013 at 12:22 PM, James Lay <jlay () slave-tothe-box net>wrote:
On 2013-06-25 11:10, Joel Esler wrote:content:"GET /?1 HTTP/1.1"; fast_pattern:only; is your best bet. You could break it out like this if you want: urilen:3; content:"GET"; http_method; content:"/?1"; http_uri; content:"HTTP/1.1"; "HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the problem? -- JOEL ESLER Senior Research Engineer, VRT OpenSource Community Manager SourcefireThanks Joel and Will...here's the full rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISED Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:10000082; rev:1;) Going to run this in production and see how it flies. James ______________________________**_________________ Emerging-sigs mailing list Emerging-sigs@lists.**emergingthreats.net<Emerging-sigs () lists emergingthreats net> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Joel Esler (Jun 25)
- Re: [Emerging-Sigs] Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Will Metcalf (Jun 25)
- Re: [Emerging-Sigs] Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Joel Esler (Jun 25)
- Re: [Emerging-Sigs] Rule assist James Lay (Jun 25)
- Re: [Emerging-Sigs] Rule assist Joel Esler (Jun 25)
- Re: [Emerging-Sigs] Rule assist Will Metcalf (Jun 25)