[Snort-sigs] Excluding a domain in snort rule

lists at ...3397... lists at ...3397...
Tue Jun 6 15:57:51 EDT 2017


On 06/06/17 14:47, John G wrote:
> I have this alert that is triggering on a legitimate site.  
> 
> EXPLOIT-KIT Angler exploit kit news uri structure (1:38439:2)
> 
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Angler
> exploit kit news uri structure"; flow:to_server,established; content:"/news/";
> fast_pattern; http_uri; content:"/"; within:5; distance:1; http_uri;
> content:"/"; within:5; distance:1; http_uri; content:"/"; within:5; distance:1;
> http_uri; pcre:"/^\/news\/([0-9]+\/){3}[0-9]{5,10}(\.html)?$/U";
> metadata:impact_flag red, policy max-detect-ips drop, service http;
> classtype:trojan-activity; sid:38439; rev:2; )
> 
> 
> It is triggering because of this site:
> http://www[.]wenxuecity[.]com/news/2017/06/06/6293116.html
> 
> How could we go about whitelisting that by editing the Snort rule? 

Hi John,

You could do a suppression via IPv4 but I wouldn't suggest this as I see 438 RRs
hung off the IPv4 of 107.178.244.221 since it's just a CNAME:

;; ANSWER SECTION:
www.wenxuecity.com.     4327    IN      CNAME   projectshield.googlehosted.com.
projectshield.googlehosted.com. 140 IN  A       107.178.244.221

Optionally, you could modify the rule to include something along the lines of:

content:!"www.wenxuecity.com"; nocase; http_header; for an opportunistic
approach.  If you want a more constrained approached, perhaps:

content:!"host|3a 20|www.wenxuecity.com"; nocase; http_header;

You'll probably want to bump the Rev number or fork the rule, disabling the
original.

Others may have alternative methods to assist.

Cheers,
Nathan




More information about the Snort-sigs mailing list