Home page logo
/

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Rule assist
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Tue, 25 Jun 2013 12:51:39 -0500

Just as an FYI all of my hits on these eventually lead to smoke loader and
it's associated sigs firing.

Regards,

Will


On Tue, Jun 25, 2013 at 12:22 PM, James Lay <jlay () slave-tothe-box net>wrote:

On 2013-06-25 11:10, Joel Esler wrote:

content:"GET /?1 HTTP/1.1"; fast_pattern:only;

is your best bet.

You could break it out like this if you want:

urilen:3; content:"GET"; http_method; content:"/?1"; http_uri;
content:"HTTP/1.1";

"HTTP/1.1" isn't in a buffer, perhaps that's where you are getting the
problem?

--
JOEL ESLER

Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


Thanks Joel and Will...here's the full rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISED Unknown ?1 redirect";
flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
classtype:bad-unknown; sid:10000082; rev:1;)

Going to run this in production and see how it flies.


James

______________________________**_________________
Emerging-sigs mailing list
Emerging-sigs () lists **emergingthreats net<Emerging-sigs () lists emergingthreats net>
https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net
The ONLY place to get complete premium rulesets for all versions of
Suricata and Snort 2.4.0 through Current!

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]