[Snort-sigs] Snort rule for a pattern match?

Shields, Joseph (NIH/NIEHS) [C] joseph.shields at ...3788...
Wed Mar 27 10:47:19 EDT 2013

Joel Esler advised this yesterday.  I haven't had a chance yet to research.  I plan to today after I get some weekly reports out.

"Take a look at the Snort ruleset from www.snort.org/snort-rules and look for rules with byte_extract in them."

-----Original Message-----
From: lists at ...3397... [mailto:lists at ...3397...] 
Sent: Wednesday, March 27, 2013 10:40 AM
To: Lay, James; Shields, Joseph (NIH/NIEHS) [C]
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Snort rule for a pattern match?

On 03/27/2013 09:29 AM, Lay, James wrote:
> James,
>    The traffic could be on most any port, though it likely will be 
> web.  I think PCRE would be possible if the PERL look ahead with calc 
> capability is supported.  I’ve not seen anything showing this 
> implementation.  Namely, (?{ code }).

Look-aheads work, check out SID 2016551 in the ET ruleset.  Check the PCRE with the negated look ahead.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"?h"; http_uri; content:" Java/1."; http_header; fast_pattern; pcre:"/\/[a-z]+\?h(?!ash)[a-z]{5,}=[a-f0-9]{24}$/U"; classtype:trojan-activity; sid:2016551; rev:3;)

Cheers, Nathan

More information about the Snort-sigs mailing list