[Snort-sigs] [Emerging-Sigs] Rule assist

Joel Esler jesler at ...435...
Tue Jun 25 13:57:55 EDT 2013


On Jun 25, 2013, at 1:22 PM, James Lay <jlay at ...3266...> wrote:
> On 2013-06-25 11:10, Joel Esler wrote:
>> content:"GET /?1 HTTP/1.1"; fast_pattern:only;
>> 
>> is your best bet.
>> 
>> You could break it out like this if you want:
>> 
>> urilen:3; content:"GET"; http_method; content:"/?1"; http_uri;
>> content:"HTTP/1.1";
>> 
>> "HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the
>> problem?
>> 
>> --
>> JOEL ESLER
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
> 
> Thanks Joel and Will...here's the full rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISED Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:10000082; rev:1;)


Sounds good, let me know.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130625/e4001a3a/attachment.html>


More information about the Snort-sigs mailing list