[Snort-sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
wkitty42 at ...3507...
Mon May 6 17:04:52 EDT 2013
On 5/6/2013 13:37, Joel Esler wrote:
> On May 3, 2013, at 8:54 PM, lists at ...3397... <mailto:lists at ...3397...>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
>> CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from
>> compromised or malicious WordPress site"; flow:established,from_server;
>> content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only;
>> pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity;
>> sid:x; rev:1;)
> Looking at what you are intending here, I think you mean it the other way
> (HOME_NET -> $EXTERNAL_NET)
ok... now i'm officially confused... the flow in the rule is "from_server"...
with that specified, does it really matter if HOME_NET or EXTERNAL_NET come first?
then there's the situation of not only detecting this coming into a network from
an external server, but also of detecting this going out of a network that runs
servers feeding the public on the outside...
does the '->' really make any difference?
should it instead have been '<-' if the rule writer really wanted HOME_NET to be
would using '<->' or '<>' (if either is allowed) detect the traffic no matter
which way the traffic was going (internal server to external client or external
server to internal client) no matter where the server is located??
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-sigs