[Snort-sigs] Snort rule for a pattern match?

lists at ...3397... lists at ...3397...
Wed Mar 27 10:40:00 EDT 2013


On 03/27/2013 09:29 AM, Lay, James wrote:
> James,
> 
>    The traffic could be on most any port, though it likely will be web.  I think
> PCRE would be possible if the PERL look ahead with calc capability is
> supported.  I’ve not seen anything showing this implementation.  Namely, (?{
> code }). 
> 

Look-aheads work, check out SID 2016551 in the ET ruleset.  Check the PCRE with
the negated look ahead.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"?h";
http_uri; content:" Java/1."; http_header; fast_pattern;
pcre:"/\/[a-z]+\?h(?!ash)[a-z]{5,}=[a-f0-9]{24}$/U"; classtype:trojan-activity;
sid:2016551; rev:3;)

Cheers, Nathan




More information about the Snort-sigs mailing list