[Snort-sigs] Quick rule optimize request

James Lay jlay at ...3266...
Tue Jul 17 14:57:27 EDT 2012


On 2012-07-17 12:27, JJ Cummings wrote:
> I would also add flow
>
> Sent from the iRoad
>
> On Jul 17, 2012, at 11:44, Joel Esler <jesler at ...435... [10]>
> wrote:
>
>> I see that your file_data needs to come before your content matches,
>> and also, the pattern you have specified as "fast_pattern" is by
>> default the fast_pattern (meaning you don't need to specifically
>> call it out).
>>
>> Joel
>>
>> On Tue, Jul 17, 2012 at 12:07 PM, James Lay
>> <jlay at ...3266... [7]> wrote:
>>
>>> Hey all,
>>>
>>> Here's the rule:
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> (msg:"INDICATOR-COMPROMISE possible WordPress head injection";
>>> content:"add_action"; content:"wp_head";
>>> content:"check_wp_head_load";
>>> file_data; fast_pattern; classtype:bad-unknown; sid:10000015;
>>> reference:
>>> blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head [1];
>>> rev:1;)
>>>
>>> Chances are bad guys will change the function name, but other
>>> then that
>>> we'll see. This should match:
>>>
>>> @add_action("wp_head", "check_wp_head_load", mt_rand(1, 6));
>>>
>>> But I don't have any packet caps to test this out on. Anyone have
>>> any
>>> input on this? Add some within entries perhaps? Anyone have a
>>> pcap of
>>> this? Thanks all.
>>>
>>> James
>>>
>>>
>>
> 
> ------------------------------------------------------------------------------
>>> Live Security Virtual Conference
>>> Exclusive live event will cover all the ways today's security and
>>> threat landscape has changed and how IT managers can respond.
>>> Discussions
>>> will include endpoint security, mobile security and the latest in
>>> malware
>>> threats.
>>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ [2]
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net [3]
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs [4]
>>> http://www.snort.org [5]
>>>
>>> Please visit http://blog.snort.org [6] for the latest news about
>>> Snort!
>>
>> --
>>
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire


Thanks gents...appreciate the input.

James





More information about the Snort-sigs mailing list