[Snort-sigs] Quick rule question

James Lay jlay at ...3266...
Fri Oct 19 11:23:05 EDT 2012


On 2012-10-19 08:39, Joel Esler wrote:
> content:".htm"; content:"|22|"; distance:0; within:2; 
> pcre:"/\/html?\x22/";
>
> Something like that?
> Is that what you are trying to do?
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Oct 19, 2012, at 10:24 AM, James Lay <jlay at ...3266...> 
> wrote:
>
>> Hey all,
>>
>> Quick question...trying to match:
>>
>> .htm"  OR  .html"
>>
>> my content can be htm and that's fine, but I need to make sure to 
>> have
>> the end quote at the end.
>>
>> Thanks all.
>>
>> James
>>

Thanks Joel and Mike,

I'm trying to modify this rule to catch both .html" and .htm" as I've 
seen some changes:

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
Blackhole exploit kit possible email Landing"; 
flow:to_server,established; content:"href=|22|http|3a 2f 2f|"; 
content:"/index.html|22|"; distance:0; within:50; 
pcre:"/\x2f[a-z0-9]{6,8}\x2findex\.html\x22/msi"; metadata:policy 
balanced-ips drop, policy security-ips drop, service smtp; 
classtype:trojan-activity; sid:10000018; rev:4;)

I've seen some variations not that have indext.htm" that this rule 
isn't hitting.  Thanks again.

James




More information about the Snort-sigs mailing list