[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"
wkitty42 at ...3507...
Fri Mar 30 00:20:25 EDT 2012
On 3/5/2012 10:48, Joel Esler wrote:
> Nathan, I changed our rule to this:
> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;)
> It fires perfectly. Thanks for the update.
hey joel, wasn't there a blog announcement about FILE_DATA_PORTS? i've numerous
folk contacting me about IDS failures concerning this change and i'm unable to
find where to point them for the changes they need to make :(
More information about the Snort-sigs