Snort mailing list archives
Re: Rule assist
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 12 Mar 2013 15:10:50 -0600
On 2013-03-12 10:01, James Lay wrote:
Hey all, Been trying to get this rule: alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT Possible BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|"; within:1; pcre:"/\x02[0-9]{2}/m"; reference:url,https://urlquery.net/report.php?id=1313067; classtype:bad-unknown; sid:10000044; rev:1;) To match and it's working, but I would like to tighten it up. Payload: 00000000 fd 64 01 00 00 01 00 00 00 00 00 00 02 32 30 10 .d...... .....20. 00000010 70 68 63 63 6f 66 63 61 6c 69 66 6f 72 6e 69 61 phccofca lifornia 00000020 03 63 6f 6d 00 00 01 00 01 .com.... . It always amazes me when I work with the pcre: function how little I understand it ;) I always want to treat it like a content: and start applying things like depth: and offset:. That being said, if I add a R to my pcre, it doesn't fire, which I don't understand. I understand R as a pcre: modifier to match the relative end of the last pattern match, which in my case would be matching the |02| yes? What am I missing in my logic? Thanks all.
Thanks gents for the responses...rule may not be good and FP a lot, but very educational :) James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule assist James Lay (Mar 12)
- Re: Rule assist rmkml (Mar 12)
- Re: Rule assist rmkml (Mar 12)
- Re: Rule assist Nathan Benson (Mar 12)
- Re: Rule assist James Lay (Mar 12)
- Re: Rule assist Joel Esler (Mar 12)
- Re: Rule assist rmkml (Mar 12)