Re: Anyones doomsday machine running low on IDS analyst tears?

[Will Metcalf <william.metcalf () gmail com>]

> No dice.. So I guess the take away here is that if you are moving to a
> VRT snort.conf or a 2.9.0 ruleset and you are running custom rules I
> would pay real close attention to debug-print-fast-pattern output.  We
> are going through the poor performers now and making modifications
> where appropriate for ET rules, just thought folks might want to know
> ;-)...

Forgot to add the bit about the solution.  If you do end up using this
pm with the default options, for rules such as this use the
fast_pattern:<offset>,<length>; options... i.e.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Delf Checkin via HTTP (8)"; flow:established,to_server;
content:"POST"; http_method; content:".php"; http_uri; nocase;
content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)";
http_header; fast_pattern:30,20; content:"name="; http_client_body;
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/2008268;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf;
sid:2008268; rev:5;)

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users