[Snort-sigs] Rule assist

Joel Esler jesler at ...435...
Tue Mar 12 17:39:24 EDT 2013


This looks like the Cool Exploit kit.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Mar 12, 2013, at 5:10 PM, James Lay <jlay at ...3266...> wrote:

> On 2013-03-12 10:01, James Lay wrote:
>> Hey all,
>> 
>> Been trying to get this rule:
>> 
>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT 
>> Possible
>> BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 
>> 00
>> 00 00|"; depth:10; offset:2; content:"|02|"; within:1;
>> pcre:"/\x02[0-9]{2}/m";
>> reference:url,https://urlquery.net/report.php?id=1313067;
>> classtype:bad-unknown; sid:10000044; rev:1;)
>> 
>> To match and it's working, but I would like to tighten it up.  
>> Payload:
>> 
>> 00000000  fd 64 01 00 00 01 00 00  00 00 00 00 02 32 30 10 .d......
>> .....20.
>> 00000010  70 68 63 63 6f 66 63 61  6c 69 66 6f 72 6e 69 61 phccofca
>> lifornia
>> 00000020  03 63 6f 6d 00 00 01 00  01                      .com.... .
>> 
>> It always amazes me when I work with the pcre: function how little I
>> understand it ;)  I always want to treat it like a content: and start
>> applying things like depth: and offset:.  That being said, if I add a 
>> R
>> to my pcre, it doesn't fire, which I don't understand.  I understand 
>> R
>> as a pcre: modifier to match the relative end of the last pattern 
>> match,
>> which in my case would be matching the |02| yes?  What am I missing 
>> in
>> my logic?  Thanks all.
>> 
> 
> Thanks gents for the responses...rule may not be good and FP a lot, but 
> very educational :)
> 
> James
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130312/57d0ccbc/attachment.html>


More information about the Snort-sigs mailing list