[Snort-sigs] Quick rule question

James Lay jlay at ...3266...
Fri Oct 19 11:34:41 EDT 2012


On 2012-10-19 09:29, Joel Esler wrote:
> On Oct 19, 2012, at 11:23 AM, James Lay <jlay at ...3266...> 
> wrote:
>> On 2012-10-19 08:39, Joel Esler wrote:
>>> content:".htm"; content:"|22|"; distance:0; within:2; 
>>> pcre:"/\/html?\x22/";
>>>
>>> Something like that?
>>> Is that what you are trying to do?
>>>
>>> --
>>> Joel Esler
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>>
>>> On Oct 19, 2012, at 10:24 AM, James Lay <jlay at ...3266...> 
>>> wrote:
>>>
>>>> Hey all,
>>>>
>>>> Quick question...trying to match:
>>>>
>>>> .htm"  OR  .html"
>>>>
>>>> my content can be htm and that's fine, but I need to make sure to 
>>>> have
>>>> the end quote at the end.
>>>>
>>>> Thanks all.
>>>>
>>>> James
>>>>
>>
>> Thanks Joel and Mike,
>>
>> I'm trying to modify this rule to catch both .html" and .htm" as 
>> I've seen some changes:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
>> Blackhole exploit kit possible email Landing"; 
>> flow:to_server,established; content:"href=|22|http|3a 2f 2f|"; 
>> content:"/index.html|22|"; distance:0; within:50; 
>> pcre:"/\x2f[a-z0-9]{6,8}\x2findex\.html\x22/msi"; metadata:policy 
>> balanced-ips drop, policy security-ips drop, service smtp; 
>> classtype:trojan-activity; sid:10000018; rev:4;)
>
>
> We've seen some real positive results in the field with that rule
> (sid: 24171).  We get a FP every once in awhile, but for the most
> part, it's doing a great job.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Thanks Joel...maybe I'll just change the other one to specifically look 
for .htm#...I'll let you know if I get results..thanks again.

James




More information about the Snort-sigs mailing list