[Snort-sigs] Rule assist

rmkml rmkml at ...174...
Tue Mar 12 16:09:15 EDT 2013


Hi James,

Can you try with this sig please?

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00
  00 00|"; depth:10; offset:2; pcre:"/^\x02\d{2}/R";
  reference:url,https://urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:10000044; rev:2;)

Your pcre skills are good, simply remove extra 'content:"|02|"; within:1;'.

Regards
Rmkml


On Tue, 12 Mar 2013, James Lay wrote:

> Hey all,
>
> Been trying to get this rule:
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible
> BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00
> 00 00|"; depth:10; offset:2; content:"|02|"; within:1;
> pcre:"/\x02[0-9]{2}/m";
> reference:url,https://urlquery.net/report.php?id=1313067;
> classtype:bad-unknown; sid:10000044; rev:1;)
>
> To match and it's working, but I would like to tighten it up.  Payload:
>
> 00000000  fd 64 01 00 00 01 00 00  00 00 00 00 02 32 30 10 .d...........20.
> 00000010  70 68 63 63 6f 66 63 61  6c 69 66 6f 72 6e 69 61 phccofcalifornia
> 00000020  03 63 6f 6d 00 00 01 00  01                      .com.... .
>
> It always amazes me when I work with the pcre: function how little I
> understand it ;)  I always want to treat it like a content: and start
> applying things like depth: and offset:.  That being said, if I add a R
> to my pcre, it doesn't fire, which I don't understand.  I understand R
> as a pcre: modifier to match the relative end of the last pattern match,
> which in my case would be matching the |02| yes?  What am I missing in
> my logic?  Thanks all.
>
> James




More information about the Snort-sigs mailing list