[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

Joel Esler jesler at ...435...
Fri Mar 30 08:25:12 EDT 2012

I made many announcements. Both on the list and on the blog. In fact, I titled the blog post the exact error, so if people will Google the error it will come right up.  It's on the blog at blog.snort.org

Joel Esler

On Mar 30, 2012, at 12:20 AM, waldo kitty <wkitty42 at ...3507...> wrote:

> On 3/5/2012 10:48, Joel Esler wrote:
>> Nathan, I changed our rule to this:
>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS ->  $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;)
>> It fires perfectly.  Thanks for the update.
> hey joel, wasn't there a blog announcement about FILE_DATA_PORTS? i've numerous 
> folk contacting me about IDS failures concerning this change and i'm unable to 
> find where to point them for the changes they need to make :(
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here 
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-sigs mailing list