[Snort-sigs] Sid 21858

Oscar A o_ama_lo at ...12...
Wed Oct 15 17:57:45 EDT 2014


Hi, this is the .pcap
Regards!
From: o_ama_lo at ...12...
To: jesler at ...3865...
Subject: RE: [Snort-sigs] Sid 21858
Date: Wed, 15 Oct 2014 15:35:04 -0500




Thanks very much, I have the pcap

From: jesler at ...3865...
To: o_ama_lo at ...12...
CC: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Sid 21858
Date: Wed, 15 Oct 2014 20:09:13 +0000

since the second content match is a “fast_pattern:only”, it’s case insensitive.  So uppercase, lowercase, doesn’t matter.
This would be a lot easier if you could send a pcap for us to look at.
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
On Oct 15, 2014, at 2:23 PM, Oscar A <o_ama_lo at ...12...> wrote:Hi, can somebody help me please, I find only exact matches for the first content

content:"|FF|SMB|A2 00 00 00 00|"; 

But for the second content only match the first 2 hexadecimal values

content:"m|00|s|00|i|00|e|00|x|00|e|00|c|00|.|00|e|00|x|00|e|00 00 00|"

It is not supouse that all content matches must be true for the rule to trigger an event, that is, each content match has
an AND relationship with the others? So why drop events are triggering only when the first content is matched?

Im having this match 4d 00 53 00 49 00 45 00 58 00 45 00 43 00 2E 00 45 00 58 00 45 (00 22 00) but the m s i e x e c . e x e are in upper case and the last three 00 00 00 between parentesis are not maching

Regards!
------------------------------------------------------------------------------Comprehensive Server Monitoring with Site24x7.Monitor 10 servers for $9/Month.Get alerted through email, SMS, voice calls or mobile push notifications.Take corrective actions from your mobile device.http://p.sf.net/sfu/Zoho_______________________________________________Snort-sigs mailing listSnort-sigs at ...3408...://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.orgPlease visit http://blog.snort.org for the latest news about Snort!
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/02bf7f07/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: request_1413385474.rar
Type: application/octet-stream
Size: 388156 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141015/02bf7f07/attachment.obj>


More information about the Snort-sigs mailing list