[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

Community Proposed lists at ...3397...
Mon Mar 5 12:28:59 EST 2012


On Mon, 5 Mar 2012 10:48:41 -0500 Joel Esler <jesler at ...435...> wrote

> Nathan, I changed our rule to this:
> 
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
> (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>";
> fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
> drop, service http; classtype:trojan-activity; sid:21417; rev:3;) 
>
> It fires perfectly.  Thanks for the update.

Thank you Joel, if there are any false positive reports (I would be surprised
if there are) we can always go with the initial additional content byte-match
distance:0; against the %PDF header.

Thanks,
Nathan





More information about the Snort-sigs mailing list