[Snort-sigs] [Emerging-Sigs] Rule assist

James Lay jlay at ...3266...
Tue Jun 25 14:23:03 EDT 2013


On Jun 25, 2013, at 11:51 AM, Will Metcalf <wmetcalf at ...3525...> wrote:

> Just as an FYI all of my hits on these eventually lead to smoke loader and it's associated sigs firing.
> 
> Regards,
> 
> Will
> 

Hey thanks Will…maybe I'll call it Initial Smoke Loader redirect or something more exciting than "Unknown".

James

> On Tue, Jun 25, 2013 at 12:22 PM, James Lay <jlay at ...3266...> wrote:
> On 2013-06-25 11:10, Joel Esler wrote:
> content:"GET /?1 HTTP/1.1"; fast_pattern:only;
> 
> is your best bet.
> 
> You could break it out like this if you want:
> 
> urilen:3; content:"GET"; http_method; content:"/?1"; http_uri;
> content:"HTTP/1.1";
> 
> "HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the
> problem?
> 
> --
> JOEL ESLER
> 
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> Thanks Joel and Will...here's the full rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISED Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:10000082; rev:1;)
> 
> Going to run this in production and see how it flies.
> 
> 
> James
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130625/1c6744c0/attachment.html>


More information about the Snort-sigs mailing list