Snort mailing list archives

Previous By Date Next
Previous By Thread Next

alert base on tcp content

From: Marcio Guerreiro <marcio.guerreiro () hotmail co uk>
Date: Mon, 27 Jul 2015 15:21:50 +0100
Hi all

 

I am trying  to generate a rule to detect an download of  a virus and by
looking at the packets I came across the packet that initiates the
transmission...

 



 

As far I understand the content is divided in many packets and this part in
RED is the beginning of the transmission.

 

Content-Encoding: gzip

 

966

...........Xks.8.....?h.E7L..6...B.y'$!I......A...,.....-..@'.;.3S..[.=..{.d
Y..t......4...z....}..u.....N........Q(...,..r.=]?...6.2...|>/....#.../....W
.y.aY
.h{.F.p.{,l..cT...:......>H...<L#:kj..I`2._..!'yjj..RW.u....A6o..|EAI*=.#|.<
.ICO.S.P.=@r.....Cm........wu..c1............................5dm...@$.C.....
K...2.....e(.Q.=J..1..X..Q4..|J..+$.LF.G.....=...{s.......7.v..=.jh>..V.Q._.
(._@.....y

.)!.6.

."..6+..k.9%r..._3FY~.\)W^H'....(T.o....._g....L..i....H.W..P

......K

.c.[.>8..6='2y..n...6..>.l[./..J...Ro.{t.j..&Al...............$.s.'.qGH...^w
.

../k.2..$.I.....bbh.k.D?.*D].f.e....{.qg.].Ry+.U5...O.[.......!....D.}......
..nY]..Y'.....m...`.1~."[..+eL.'..2....p.(0.Y.UB.e.E.....Z..A...^>..NZ......
K.D....9...G.5.F.Q.3Y.]

*...ud.Q#yB.?"..,.U.f.....f..AMD....da....u...}<..>d4BgZ..\.2.5Q..(j
.....q....._._.W.(o...._...(#..t3..K-..P=.....'P.......G2./....s=&..L6......
V...!.X....2..

 

I do have the others packets that complete the transmission, but my question
is.

 

1 - can I generate a rule based on the content in RED ? (I guess yes but I
would need to decode this string somehow, I wanted to convert to binary or
hexa and use the "content" keyword to identify the package. But I do know
know if th is possible.)

 

 

2 - I came across many other situations and I would like to know what to do
to identify the format ( I understant that this example above is in Gzip)

 

 

I am happy to ready anything that would help with the problem, I just do not
know what to look for.

 

Thank you 

 

Marcio Guerreiro

 

 

 



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: