[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

Dave Venman dvenman at ...435...
Fri Mar 30 04:34:53 EDT 2012


Is this the one ?

  http://blog.snort.org/2012/01/portvar-lookup-failed-on-filedataports.html

On 30 March 2012 05:20, waldo kitty <wkitty42 at ...3507...> wrote:

> On 3/5/2012 10:48, Joel Esler wrote:
> > Nathan, I changed our rule to this:
> >
> > alert tcp $EXTERNAL_NET $FILE_DATA_PORTS ->  $HOME_NET any
> (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit";
> flow:to_client,established; flowbits:isset,file.pdf; file_data;
> content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>";
> fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
> drop, service http; classtype:trojan-activity; sid:21417; rev:3;)
> >
> > It fires perfectly.  Thanks for the update.
> hey joel, wasn't there a blog announcement about FILE_DATA_PORTS? i've
> numerous
> folk contacting me about IDS failures concerning this change and i'm
> unable to
> find where to point them for the changes they need to make :(
>
>
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Dave Venman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120330/ceaf58b3/attachment.html>


More information about the Snort-sigs mailing list