[Snort-sigs] Sid 21858

Joel Esler (jesler) jesler at ...3865...
Wed Oct 15 16:09:13 EDT 2014


since the second content match is a “fast_pattern:only”, it’s case insensitive.  So uppercase, lowercase, doesn’t matter.

This would be a lot easier if you could send a pcap for us to look at.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> On Oct 15, 2014, at 2:23 PM, Oscar A <o_ama_lo at ...12...> wrote:
> 
> Hi, can somebody help me please, I find only exact matches for the first content
> 
> content:"|FF|SMB|A2 00 00 00 00|"; 
> 
> But for the second content only match the first 2 hexadecimal values
> 
> content:"m|00|s|00|i|00|e|00|x|00|e|00|c|00|.|00|e|00|x|00|e|00 00 00|"
> 
> It is not supouse that all content matches must be true for the rule to trigger an event, that is, each content match has
> an AND relationship with the others? So why drop events are triggering only when the first content is matched?
> 
> Im having this match 4d 00 53 00 49 00 45 00 58 00 45 00 43 00 2E 00 45 00 58 00 45 (00 22 00) but the m s i e x e c . e x e are in upper case and the last three 00 00 00 between parentesis are not maching
> 
> Regards!
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho_______________________________________________ <http://p.sf.net/sfu/Zoho_______________________________________________>
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net <mailto:Snort-sigs at lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs>
> http://www.snort.org <http://www.snort.org/>
> 
> 
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/5ba2b965/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/5ba2b965/attachment.bin>


More information about the Snort-sigs mailing list