[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

Joel Esler jesler at ...435...
Sat Mar 31 11:37:45 EDT 2012


http://blog.snort.org/2012/01/portvar-lookup-failed-on-filedataports.html

-- 
Joel Esler

On Mar 30, 2012, at 11:16 PM, waldo kitty <wkitty42 at ...3507...> wrote:

> On 3/30/2012 08:25, Joel Esler wrote:
>> I made many announcements. Both on the list and on the blog. In fact, I titled the blog post the exact error, so if people will Google the error it will come right up.  It's on the blog at blog.snort.org
> 
> i thought that you had... but when i checked, i couldn't find anything so i wrote my message... i definitely remember some traffic about it but :?
> 
> thanks again!
> 
>> 
>> --
>> Joel Esler
>> 
>> On Mar 30, 2012, at 12:20 AM, waldo kitty<wkitty42 at ...3507...>  wrote:
>> 
>>> On 3/5/2012 10:48, Joel Esler wrote:
>>>> Nathan, I changed our rule to this:
>>>> 
>>>> alert tcp $EXTERNAL_NET $FILE_DATA_PORTS ->   $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;)
>>>> 
>>>> It fires perfectly.  Thanks for the update.
>>> hey joel, wasn't there a blog announcement about FILE_DATA_PORTS? i've numerous
>>> folk contacting me about IDS failures concerning this change and i'm unable to
>>> find where to point them for the changes they need to make :(
> 




More information about the Snort-sigs mailing list