[Snort-sigs] Snort-sigs Digest, Vol 85, Issue 22

Joel Esler jesler at ...435...
Wed Jun 26 22:54:11 EDT 2013


Doesn't really matter in this case. But it's even more irrelevant since you used fast_pattern:only 




--
Joel Esler
Sent from my iPad

On Jun 26, 2013, at 6:50 PM, James Lay <jlay at ...3266...> wrote:

> On 2013-06-26 16:11, John Cal wrote:
>> On Wed, Jun 26, 2013 at 2:28 PM,
>> <snort-sigs-request at lists.sourceforge.net [2]> wrote:
>> 
>>> Yippee
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"MALWARE-CNC
>>> W32.Trojan.PinkStats outbound connection";
>>> flow:to_server,established;
>>> content:"User-Agent: Google page|0D 0A|"; fast_pattern:only;
>>> http_header; content:"/count.asp?mac="; http_uri; content:"&ver=";
>>> http_uri; metadata:impact_flag red, policy balanced-ips drop,
>>> policy
>>> security-ips drop, service http;
>> 
>> reference:url,http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html
>>> [1];
>>> classtype:trojan-activity; sid:10000083; rev:1;)
>>> 
>>> Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania
>>> 
>>> James
>> 
>> James, are there any benefits to having your rule match the URI
>> content before the UA content? I might need to read some additional
>> material to understand the order on how a signature is read by Snort,
>> but the correct flow would have the URI before the UA header,
>> correct? 
> 
> I think that would normally be the case, but I'm thinking the 
> fast_pattern checks to see if the UA is "Google page" first, then goes 
> on with the rest of the check.  fast_pattern still confuses me 
> too...what say you group, is that good reasoning for the UA to be 
> checked before the URI?
> 
> James
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list