[Snort-sigs] Quick rule question

Joel Esler jesler at ...435...
Fri Oct 19 11:29:30 EDT 2012


On Oct 19, 2012, at 11:23 AM, James Lay <jlay at ...3266...> wrote:
> On 2012-10-19 08:39, Joel Esler wrote:
>> content:".htm"; content:"|22|"; distance:0; within:2; pcre:"/\/html?\x22/";
>> 
>> Something like that?
>> Is that what you are trying to do?
>> 
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>> 
>> On Oct 19, 2012, at 10:24 AM, James Lay <jlay at ...3266...> wrote:
>> 
>>> Hey all,
>>> 
>>> Quick question...trying to match:
>>> 
>>> .htm"  OR  .html"
>>> 
>>> my content can be htm and that's fine, but I need to make sure to have
>>> the end quote at the end.
>>> 
>>> Thanks all.
>>> 
>>> James
>>> 
> 
> Thanks Joel and Mike,
> 
> I'm trying to modify this rule to catch both .html" and .htm" as I've seen some changes:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS Blackhole exploit kit possible email Landing"; flow:to_server,established; content:"href=|22|http|3a 2f 2f|"; content:"/index.html|22|"; distance:0; within:50; pcre:"/\x2f[a-z0-9]{6,8}\x2findex\.html\x22/msi"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; classtype:trojan-activity; sid:10000018; rev:4;)


We've seen some real positive results in the field with that rule (sid: 24171).  We get a FP every once in awhile, but for the most part, it's doing a great job.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



More information about the Snort-sigs mailing list