[Snort-sigs] Proposed update to 1:28039

Jeremy Hoel jthoel at ...2420...
Fri Dec 19 23:06:57 EST 2014


This was discussed this time last year and the answer was that since u.pw
is still a pw domain, you should modify the rule locally to negate it.  It
makes sense since allowing that domain is still going to be a matter of
policy for where snort is running at.  It's pretty easy to do a modify aid
to add the !content match and update the rule for you.
On Dec 19, 2014 1:12 PM, "Rodgers, Anthony (DTMB)" <RodgersA1 at ...3985...>
wrote:

> Since Upworthy purchased u.pw (
> http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/),
> should we update INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039) to
> add the following:
>
> content:!"|01 75 02 70 77 00|"; offset:12; depth:6;
>
> Cheers,
>
> Anthony Rodgers
> Security Analyst
> Michigan Security Operations Center (MiSOC)
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141219/ef9ebdd9/attachment.html>


More information about the Snort-sigs mailing list