[Snort-sigs] Proposed update to 1:28039

Rodgers, Anthony (DTMB) RodgersA1 at ...3985...
Mon Dec 22 16:06:02 EST 2014

Thanks, Joel.

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

From: Joel Esler (jesler) [mailto:jesler at ...3865...]
Sent: Monday, December 22, 2014 10:41
To: Jeremy Hoel
Cc: Rodgers, Anthony (DTMB); snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Proposed update to 1:28039

On Dec 19, 2014, at 11:06 PM, Jeremy Hoel <jthoel at ...2420...<mailto:jthoel at ...2420...>> wrote:

This was discussed this time last year and the answer was that since u.pw<http://u.pw/> is still a pw domain, you should modify the rule locally to negate it.  It makes sense since allowing that domain is still going to be a matter of policy for where snort is running at.  It's pretty easy to do a modify aid to add the !content match and update the rule for you.
On Dec 19, 2014 1:12 PM, "Rodgers, Anthony (DTMB)" <RodgersA1 at ...3985...<mailto:RodgersA1 at ...3985...>> wrote:
Since Upworthy purchased u.pw<http://u.pw/> (http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/), should we update INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039) to add the following:

content:!"|01 75 02 70 77 00|"; offset:12; depth:6;


Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

I’ve just updated the rule to negate u.pw<http://u.pw>.  This rule should ship soon.

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141222/17420d5b/attachment.html>

More information about the Snort-sigs mailing list