[Snort-sigs] Rule assist

rmkml rmkml at ...174...
Tue Mar 12 16:12:32 EDT 2013


and for performance reason, please change to:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00
  00 00 02|"; depth:11; offset:2; pcre:"/^\d{2}/R";
  reference:url,https://urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:10000044; rev:3;)

Regards
Rmkml


On Tue, 12 Mar 2013, rmkml wrote:

> Hi James,
>
> Can you try with this sig please?
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK 
> host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00
> 00 00|"; depth:10; offset:2; pcre:"/^\x02\d{2}/R";
> reference:url,https://urlquery.net/report.php?id=1313067; 
> classtype:bad-unknown; sid:10000044; rev:2;)
>
> Your pcre skills are good, simply remove extra 'content:"|02|"; within:1;'.
>
> Regards
> Rmkml
>
>
> On Tue, 12 Mar 2013, James Lay wrote:
>
>> Hey all,
>> 
>> Been trying to get this rule:
>> 
>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible
>> BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00
>> 00 00|"; depth:10; offset:2; content:"|02|"; within:1;
>> pcre:"/\x02[0-9]{2}/m";
>> reference:url,https://urlquery.net/report.php?id=1313067;
>> classtype:bad-unknown; sid:10000044; rev:1;)
>> 
>> To match and it's working, but I would like to tighten it up.  Payload:
>> 
>> 00000000  fd 64 01 00 00 01 00 00  00 00 00 00 02 32 30 10 .d...........20.
>> 00000010  70 68 63 63 6f 66 63 61  6c 69 66 6f 72 6e 69 61 phccofcalifornia
>> 00000020  03 63 6f 6d 00 00 01 00  01                      .com.... .
>> 
>> It always amazes me when I work with the pcre: function how little I
>> understand it ;)  I always want to treat it like a content: and start
>> applying things like depth: and offset:.  That being said, if I add a R
>> to my pcre, it doesn't fire, which I don't understand.  I understand R
>> as a pcre: modifier to match the relative end of the last pattern match,
>> which in my case would be matching the |02| yes?  What am I missing in
>> my logic?  Thanks all.
>> 
>> James
>




More information about the Snort-sigs mailing list