Snort mailing list archives
Re: Proposed update to 1:28039
From: "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov>
Date: Mon, 22 Dec 2014 21:06:48 +0000
Yup – we have our own temporary rule running pending Joel’s update. Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Friday, December 19, 2014 23:07 To: Rodgers, Anthony (DTMB) Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Proposed update to 1:28039 This was discussed this time last year and the answer was that since u.pw<http://u.pw> is still a pw domain, you should modify the rule locally to negate it. It makes sense since allowing that domain is still going to be a matter of policy for where snort is running at. It's pretty easy to do a modify aid to add the !content match and update the rule for you. On Dec 19, 2014 1:12 PM, "Rodgers, Anthony (DTMB)" <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>> wrote: Since Upworthy purchased u.pw<http://u.pw> (http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/), should we update INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039) to add the following: content:!"|01 75 02 70 77 00|"; offset:12; depth:6; Cheers, Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 19)
- Re: Proposed update to 1:28039 Jeremy Hoel (Dec 19)
- Re: Proposed update to 1:28039 Joel Esler (jesler) (Dec 22)
- Re: Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 22)
- Re: Proposed update to 1:28039 Rodgers, Anthony (DTMB) (Dec 22)
- Re: Proposed update to 1:28039 Joel Esler (jesler) (Dec 22)
- Re: Proposed update to 1:28039 Jeremy Hoel (Dec 19)