Snort mailing list archives
Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"
From: Dave Venman <dvenman () sourcefire com>
Date: Fri, 30 Mar 2012 09:34:53 +0100
Is this the one ? http://blog.snort.org/2012/01/portvar-lookup-failed-on-filedataports.html On 30 March 2012 05:20, waldo kitty <wkitty42 () windstream net> wrote:
On 3/5/2012 10:48, Joel Esler wrote:Nathan, I changed our rule to this: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any(msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;)It fires perfectly. Thanks for the update.hey joel, wasn't there a blog announcement about FILE_DATA_PORTS? i've numerous folk contacting me about IDS failures concerning this change and i'm unable to find where to point them for the changes they need to make :( ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Dave Venman
------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Community Proposed (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 29)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 31)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Dave Venman (Mar 31)