[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"
lists at ...3397...
Mon Mar 5 12:28:59 EST 2012
On Mon, 5 Mar 2012 10:48:41 -0500 Joel Esler <jesler at ...435...> wrote
> Nathan, I changed our rule to this:
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>";
> fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
> drop, service http; classtype:trojan-activity; sid:21417; rev:3;)
> It fires perfectly. Thanks for the update.
Thank you Joel, if there are any false positive reports (I would be surprised
if there are) we can always go with the initial additional content byte-match
distance:0; against the %PDF header.
More information about the Snort-sigs