[Snort-sigs] [Emerging-Sigs] Rule assist

James Lay jlay at ...3266...
Tue Jun 25 13:22:18 EDT 2013


On 2013-06-25 11:10, Joel Esler wrote:
> content:"GET /?1 HTTP/1.1"; fast_pattern:only;
>
> is your best bet.
>
> You could break it out like this if you want:
>
> urilen:3; content:"GET"; http_method; content:"/?1"; http_uri;
> content:"HTTP/1.1";
>
> "HTTP/1.1" isn't in a buffer, perhaps that's where you are getting 
> the
> problem?
>
> --
> JOEL ESLER
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

Thanks Joel and Will...here's the full rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"INDICATOR-COMPROMISED Unknown ?1 redirect"; 
flow:to_server,established; content:"GET /?1 HTTP/1.1"; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; classtype:bad-unknown; sid:10000082; 
rev:1;)

Going to run this in production and see how it flies.

James





More information about the Snort-sigs mailing list