Snort mailing list archives
Re: Proposed update to 1:28039
From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Mon, 22 Dec 2014 21:06:02 +0000
Thanks, Joel. Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Monday, December 22, 2014 10:41 To: Jeremy Hoel Cc: Rodgers, Anthony (DTMB); snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Proposed update to 1:28039 On Dec 19, 2014, at 11:06 PM, Jeremy Hoel <jthoel () gmail com<mailto:jthoel () gmail com>> wrote: This was discussed this time last year and the answer was that since u.pw<http://u.pw/> is still a pw domain, you should modify the rule locally to negate it. It makes sense since allowing that domain is still going to be a matter of policy for where snort is running at. It's pretty easy to do a modify aid to add the !content match and update the rule for you. On Dec 19, 2014 1:12 PM, "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>> wrote: Since Upworthy purchased u.pw<http://u.pw/> (http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/), should we update INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039) to add the following: content:!"|01 75 02 70 77 00|"; offset:12; depth:6; Cheers, Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) I’ve just updated the rule to negate u.pw<http://u.pw>. This rule should ship soon. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 19)
- Re: Proposed update to 1:28039 Jeremy Hoel (Dec 19)
- Re: Proposed update to 1:28039 Joel Esler (jesler) (Dec 22)
- Re: Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 22)
- Re: Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 22)
- Re: Proposed update to 1:28039 Joel Esler (jesler) (Dec 22)
- Re: Proposed update to 1:28039 Jeremy Hoel (Dec 19)