[Snort-sigs] Proposed update to 1:28039

Rodgers, Anthony (DTMB) RodgersA1 at ...3985...
Mon Dec 22 16:06:48 EST 2014

Yup – we have our own temporary rule running pending Joel’s update.

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

From: Jeremy Hoel [mailto:jthoel at ...2420...]
Sent: Friday, December 19, 2014 23:07
To: Rodgers, Anthony (DTMB)
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Proposed update to 1:28039

This was discussed this time last year and the answer was that since u.pw<http://u.pw> is still a pw domain, you should modify the rule locally to negate it.  It makes sense since allowing that domain is still going to be a matter of policy for where snort is running at.  It's pretty easy to do a modify aid to add the !content match and update the rule for you.
On Dec 19, 2014 1:12 PM, "Rodgers, Anthony (DTMB)" <RodgersA1 at ...3985...<mailto:RodgersA1 at ...3985...>> wrote:
Since Upworthy purchased u.pw<http://u.pw> (http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/), should we update INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039) to add the following:

content:!"|01 75 02 70 77 00|"; offset:12; depth:6;


Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>

Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141222/0c1cb81a/attachment.html>

More information about the Snort-sigs mailing list