[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

Joel Esler jesler at ...435...
Mon Mar 5 12:47:32 EST 2012


Correct me if I'm wrong, I'm on my phone right now, but I believe the additional content match just checked for the 19th object header is that correct?

--
Joel Esler

On Mar 5, 2012, at 12:28 PM, Community Proposed <lists at ...3397...> wrote:

> On Mon, 5 Mar 2012 10:48:41 -0500 Joel Esler <jesler at ...435...> wrote
> 
>> Nathan, I changed our rule to this:
>> 
>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
>> (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit";
>> flow:to_client,established; flowbits:isset,file.pdf; file_data;
>> content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>";
>> fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
>> drop, service http; classtype:trojan-activity; sid:21417; rev:3;) 
>> 
>> It fires perfectly.  Thanks for the update.
> 
> Thank you Joel, if there are any false positive reports (I would be surprised
> if there are) we can always go with the initial additional content byte-match
> distance:0; against the %PDF header.
> 
> Thanks,
> Nathan
> 




More information about the Snort-sigs mailing list