[Snort-sigs] flowbits check needed?

rmkml rmkml at ...174...
Sat Feb 15 16:37:44 EST 2014

Thx you YM for sharing,

Well not easy to understand if you need (java) flowbits or not,

I think not because Java User-Agent are on same than URI.

warn: pcre miss '/' after first escape '\'.

Could you have pcap please ?

Maybe add urilen:17.

Remove {1} on pcre because \d is not more repeat.

warn2: http_uri are not nocase, but pcre yes (i): why ?

Another similar sig already exist:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; 
content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; 
fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2;)


On Sat, 15 Feb 2014, Y M wrote:

> I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts?
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header;
> fast_pattern:only; pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;
> reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:1;)
> YM

More information about the Snort-sigs mailing list