Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rule for a pattern match?

From: "lists () packetmail net" <lists () packetmail net>
Date: Wed, 27 Mar 2013 09:40:00 -0500
On 03/27/2013 09:29 AM, Lay, James wrote:

James,

   The traffic could be on most any port, though it likely will be web.  I think
PCRE would be possible if the PERL look ahead with calc capability is
supported.  I’ve not seen anything showing this implementation.  Namely, (?{
code }). 



Look-aheads work, check out SID 2016551 in the ET ruleset.  Check the PCRE with
the negated look ahead.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS
Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"?h";
http_uri; content:" Java/1."; http_header; fast_pattern;
pcre:"/\/[a-z]+\?h(?!ash)[a-z]{5,}=[a-f0-9]{24}$/U"; classtype:trojan-activity;
sid:2016551; rev:3;)

Cheers, Nathan

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: