Snort mailing list archives
Re: "Valid hex values only please!" error
From: Peter Bates <peter.bates () ucl ac uk>
Date: Mon, 23 Jan 2012 13:31:13 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all... and particularly thanks to Kevin On 23/01/2012 12:51, Kevin Ross wrote:
Should be: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CST ZeuS file=gwe.bin"; flow:established,to_server; content:"/xml.php?q=1|3A|file=gwe.bin"; http_uri; classtype:trojan-activity; sid:3100016; rev:1;)
Thanks for the advice and the fix - I forget why the flow state had been removed but fixing up $HOME_NET and $EXTERNAL_NET were something I should have done before.
Also have a look at the emergingthreats.net rules as there are many rules there for Zeus behaviours and other trojans as well as reputation stuff and loads of other rules for different things (as you imagine, often the fast moving malware stuff such as URIs, behaviours, exploit kit stuff etc).
We're running a mix of VRT, ET and some home-spun rules. As you say, SIDs 2013976 and 2013076 are particularly effective. - - -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPHWEhAAoJELhVoVpEMS6RPnYH/0L82myRODESy/xfoDn9VVpR vs/sxeoXcC8wNX6WHPoixdQ8bXX/AaenMloAPBxiFvOjXlvXPRD1IcmhGgM0VJzP Jqxm2yV6GiyBj8vIRbYdETOkMyRh5fxph3O56hl//r2A964wEGV1f3Fdu0nMTbsD Ubj7Quk88cgPNRB/IgvGs0Psip1HkCE5VfGHy4ofhEoviKsag3lrvduJTcKWGXSB XhIsnLzJX7ZJh2Q5kHx6Zdd45+wkzOQdbSU7iYrFlIBuHdIaF2MLOYRh/uIEVsWG 50VqDzq4EjbGfebPWCES529oC8dLd5M/SKlIohFTiAlZ9CgXUWyMV3jIIw6lDqA= =r+WX -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- "Valid hex values only please!" error Peter Bates (Jan 23)
- Message not available
- Re: "Valid hex values only please!" error Peter Bates (Jan 23)
- Message not available