Home page logo

snort logo Snort mailing list archives

Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 06 May 2013 17:04:52 -0400

On 5/6/2013 13:37, Joel Esler wrote:
On May 3, 2013, at 8:54 PM, lists () packetmail net <mailto:lists () packetmail net>
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from
compromised or malicious WordPress site"; flow:established,from_server;
content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only;
pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity;
sid:x; rev:1;)


Looking at what you are intending here, I think you mean it the other way

ok... now i'm officially confused... the flow in the rule is "from_server"... 
with that specified, does it really matter if HOME_NET or EXTERNAL_NET come first?

then there's the situation of not only detecting this coming into a network from 
an external server, but also of detecting this going out of a network that runs 
servers feeding the public on the outside...

does the '->' really make any difference?

should it instead have been '<-' if the rule writer really wanted HOME_NET to be 

would using '<->' or '<>' (if either is allowed) detect the traffic no matter 
which way the traffic was going (internal server to external client or external 
server to internal client) no matter where the server is located??

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]