Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

From: Community Proposed <lists () packetmail net>
Date: Mon, 5 Mar 2012 11:28:59 -0600
On Mon, 5 Mar 2012 10:48:41 -0500 Joel Esler <jesler () sourcefire com> wrote


Nathan, I changed our rule to this:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>";
fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
drop, service http; classtype:trojan-activity; sid:21417; rev:3;) 

It fires perfectly.  Thanks for the update.


Thank you Joel, if there are any false positive reports (I would be surprised
if there are) we can always go with the initial additional content byte-match
distance:0; against the %PDF header.

Thanks,
Nathan


------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: