[Snort-sigs] Quick rule optimize request

Joel Esler jesler at ...435...
Tue Jul 17 13:44:30 EDT 2012


I see that your file_data needs to come before your content matches, and
also, the pattern you have specified as "fast_pattern" is by default the
fast_pattern (meaning you don't need to specifically call it out).

Joel

On Tue, Jul 17, 2012 at 12:07 PM, James Lay <jlay at ...3266...>wrote:

> Hey all,
>
> Here's the rule:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISE possible WordPress head injection";
> content:"add_action"; content:"wp_head"; content:"check_wp_head_load";
> file_data; fast_pattern; classtype:bad-unknown; sid:10000015; reference:
> blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head; rev:1;)
>
> Chances are bad guys will change the function name, but other then that
> we'll see.  This should match:
>
> @add_action("wp_head", "check_wp_head_load", mt_rand(1, 6));
>
> But I don't have any packet caps to test this out on.  Anyone have any
> input on this?  Add some within entries perhaps?  Anyone have a pcap of
> this?  Thanks all.
>
> James
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120717/7f198734/attachment.html>


More information about the Snort-sigs mailing list