<div dir="ltr">Just as an FYI all of my hits on these eventually lead to smoke loader and it's associated sigs firing.<div><br></div><div>Regards,</div><div><br></div><div>Will</div></div><div class="gmail_extra"><br><br>
<div class="gmail_quote">On Tue, Jun 25, 2013 at 12:22 PM, James Lay <span dir="ltr"><<a href="mailto:jlay@...3266..." target="_blank">jlay@...3266...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 2013-06-25 11:10, Joel Esler wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
content:"GET /?1 HTTP/1.1"; fast_pattern:only;<br>
<br>
is your best bet.<br>
<br>
You could break it out like this if you want:<br>
<br>
urilen:3; content:"GET"; http_method; content:"/?1"; http_uri;<br>
content:"HTTP/1.1";<br>
<br>
"HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the<br>
problem?<br>
<br>
--<br></div>
JOEL ESLER<div class="im"><br>
Senior Research Engineer, VRT<br>
OpenSource Community Manager<br>
Sourcefire<br>
</div></blockquote>
<br>
Thanks Joel and Will...here's the full rule:<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISED Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:bad-unknown; sid:10000082; rev:1;)<br>

<br>
Going to run this in production and see how it flies.<div class="HOEnZb"><div class="h5"><br>
<br>
James<br>
<br>
______________________________<u></u>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@...3694..." target="_blank">Emerging-sigs@...2570...<u></u>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.<u></u>net/mailman/listinfo/emerging-<u></u>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!<br>
</div></div></blockquote></div><br></div>