[Snort-sigs] Suggested pcre addition to 1:6251

rmkml rmkml at ...174...
Wed Nov 24 16:06:46 EST 2010


Hi,
VRT have enhanced this rule to rev 7 on SEU 362 (25 aug 2010)... (with pcre and http_header and fast_pattern...)
Regards
Rmkml


On Wed, 24 Nov 2010, Jason Wallace wrote:

> Or maybe a user_agent: rule option that limits the search to the
> user-agent header?
>
>
>
> On Wed, Nov 24, 2010 at 2:31 PM, CunningPike <cunningpike at ...2420...> wrote:
>> Hi there,
>>
>> I get a lot of false positives on the following rule:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT
>> Adware hotbar runtime detection - hostie user-agent";
>> flow:to_server,established; content:"User-Agent|3A| "; nocase;
>> content:"hostie"; distance:0; nocase; threshold:type limit, track
>> by_src, count 1, seconds 300; metadata:policy security-ips alert;
>> reference:url,www.spywareguide.com/product_show.php?id=481;
>> reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075474;
>> classtype:misc-activity; sid:6251; rev:5;)
>>
>> from content like this:
>>
>> GET /2.5.1/js/CF_insight.min.js HTTP/1.1..Accept: */*..Referer:
>> http://www.theweathernetwork.com/weather/cabc0308..Accept-Language:
>> en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0
>> (compatible; MSIE 6.0; Windows NT 5.1; SV1)..Connection:
>> Keep-Alive..Host: scripthostie6.crowdfactory.com....
>>
>> I'm wondering would the addition of the following pcre help keep the
>> match within the User-Agent field:
>>
>> pcre:"/User-Agent:[^\x0D\x0A]*hostie.*/smi";
>>
>> or would it allow for evasion of some kind.
>>
>> If this is a could idea, there are probably other UA-based sigs that
>> could benefit from the same treatment.
>>
>> Thoughts?
>>
>> CP
>>
>> ------------------------------------------------------------------------------
>> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
>> Tap into the largest installed PC base & get more eyes on your game by
>> optimizing for Intel(R) Graphics Technology. Get started today with the
>> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
>> http://p.sf.net/sfu/intelisp-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
> ------------------------------------------------------------------------------
> Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
> Tap into the largest installed PC base & get more eyes on your game by
> optimizing for Intel(R) Graphics Technology. Get started today with the
> Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
> http://p.sf.net/sfu/intelisp-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list