[Snort-sigs] [Emerging-Sigs] Rule assist

Will Metcalf wmetcalf at ...3525...
Tue Jun 25 13:51:39 EDT 2013


Just as an FYI all of my hits on these eventually lead to smoke loader and
it's associated sigs firing.

Regards,

Will


On Tue, Jun 25, 2013 at 12:22 PM, James Lay <jlay at ...3266...>wrote:

> On 2013-06-25 11:10, Joel Esler wrote:
>
>> content:"GET /?1 HTTP/1.1"; fast_pattern:only;
>>
>> is your best bet.
>>
>> You could break it out like this if you want:
>>
>> urilen:3; content:"GET"; http_method; content:"/?1"; http_uri;
>> content:"HTTP/1.1";
>>
>> "HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the
>> problem?
>>
>> --
>> JOEL ESLER
>>
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>
> Thanks Joel and Will...here's the full rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISED Unknown ?1 redirect";
> flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only;
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> classtype:bad-unknown; sid:10000082; rev:1;)
>
> Going to run this in production and see how it flies.
>
>
> James
>
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130625/d66a2161/attachment.html>


More information about the Snort-sigs mailing list