[Snort-sigs] Question about content

evilghost at ...3397... evilghost at ...3397...
Tue Dec 1 09:47:57 EST 2009


...1245643577AAAA
>> how can I verify that it contains "AAAA"

Making assumptions about direction, protocol, and content I would try something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"AAAA detected"; flow:established,to_server; content:"GET "; depth:4; content:"AAAA"; pcre:"/\d+AAAA$/"; classtype:suspicious-activity; sid:20091201; rev:1;)

As it stands the signature is costly but you would need to supply additional criteria for us to narrow it down.  For example, are you looking in the uribuffer or http_headers?  Content body?  What layer 7 protocol?  Any other identifying factors that could add to the precision?

Note - SourceFire shouldn't be allowed to interface with the public, especially if the responses are accusatory in nature.  Some of the quality in VRT signatures I've seen make me laugh when they respond like they do here.  It's always funny to watch the baboons throwing rocks from their glass houses.


Matt Olney wrote:
> Yep...but I'm feeling uber generous this morning, so I'll give you a tip:
>
> PCRE$
>
> On Tue, Dec 1, 2009 at 8:33 AM, Nigel Houghton <nhoughton at ...435...> wrote:
>   
>> On Tue, Dec 1, 2009 at 4:11 AM, sofia insat <sofia.insat at ...174...> wrote:
>>     
>>> Hi,
>>>
>>> I want to detect the last word in the content
>>> for exemple if I have this bytes: ....1245643577AAAA
>>> how can I verify that it contains "AAAA" at the end without knowing the total size of bytes
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>>> a free event focused on virtualization and cloud computing.
>>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>>> http://p.sf.net/sfu/redhat-sfdev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>       
>> Again, this looks like a homework assignment. This list is not the
>> place for homework questions.
>>
>> The answers you seek can be found in the Snort manual and the
>> associated README files in the Snort tarball. You need to do some work
>> and read the documentation.
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>>
>> ------------------------------------------------------------------------------
>> Join us December 9, 2009 for the Red Hat Virtual Experience,
>> a free event focused on virtualization and cloud computing.
>> Attend in-depth sessions from your desk. Your couch. Anywhere.
>> http://p.sf.net/sfu/redhat-sfdev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>     
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing. 
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>   




More information about the Snort-sigs mailing list