Re: Rule message change 27875

["Joel Esler (jesler)" <jesler () cisco com>]

On Jan 8, 2014, at 2:22 PM, Joseph Cooper <joseph.cooper () RACKSPACE COM<mailto:joseph.cooper () RACKSPACE COM>> wrote:

I was wanting your opinions and checking to see if we could get the msg for this rule changed. The rule doesn’t 
actually look for DotCachef itself, but for JJEncoding, which a lot of software and ad sites are starting to use.
Having the rule message state it is an Exploit-Kit has caused fellow analysts to continuously look for what is not 
there, and I feel a change would be beneficiary to all.
Let me know what you think :)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotCachef/DotCache exploit kit landing page"; 
flow:to_client,established; file_data; content:",$$$$|3A|(![]+|22 22|)"; fast_pattern:only; metadata:policy 
balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27875; rev:1; )

Sounds good, I’ll adjust it to something more appropriate.

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!