[Snort-sigs] Excluding a domain in snort rule

Joel Esler (jesler) jesler at ...3865...
Tue Jun 6 15:58:33 EDT 2017

I would suggest disabling that rule all together.  That pattern hasn’t been used in years.

Joel Esler | Talos: Manager | jesler at ...3865...<mailto:jesler at ...3865...>

On Jun 6, 2017, at 3:47 PM, John G <drterdnugget at ...2420...<mailto:drterdnugget at ...2420...>> wrote:

I have this alert that is triggering on a legitimate site.

EXPLOIT-KIT Angler exploit kit news uri structure (1:38439:2)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler exploit kit news uri structure"; flow:to_server,established; content:"/news/"; fast_pattern; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1; http_uri; pcre:"/^\/news\/([0-9]+\/){3}[0-9]{5,10}(\.html)?$/U"; metadata:impact_flag red, policy max-detect-ips drop, service http; classtype:trojan-activity; sid:38439; rev:2; )

It is triggering because of this site: http://www<http://www/>[.]wenxuecity[.]com/news/2017/06/06/6293116.html

How could we go about whitelisting that by editing the Snort rule?


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>


Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170606/62c0c72f/attachment.html>

More information about the Snort-sigs mailing list