Snort mailing list archives

Re: Rule assist

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 12 Mar 2013 17:39:24 -0400

This looks like the Cool Exploit kit.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Mar 12, 2013, at 5:10 PM, James Lay <jlay () slave-tothe-box net> wrote:

On 2013-03-12 10:01, James Lay wrote:

Hey all,

Been trying to get this rule:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT 
Possible
BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 
00
00 00|"; depth:10; offset:2; content:"|02|"; within:1;
pcre:"/\x02[0-9]{2}/m";
reference:url,https://urlquery.net/report.php?id=1313067;
classtype:bad-unknown; sid:10000044; rev:1;)

To match and it's working, but I would like to tighten it up.  
Payload:

00000000  fd 64 01 00 00 01 00 00  00 00 00 00 02 32 30 10 .d......
.....20.
00000010  70 68 63 63 6f 66 63 61  6c 69 66 6f 72 6e 69 61 phccofca
lifornia
00000020  03 63 6f 6d 00 00 01 00  01                      .com.... .

It always amazes me when I work with the pcre: function how little I
understand it ;)  I always want to treat it like a content: and start
applying things like depth: and offset:.  That being said, if I add a 
R
to my pcre, it doesn't fire, which I don't understand.  I understand 
R
as a pcre: modifier to match the relative end of the last pattern 
match,
which in my case would be matching the |02| yes?  What am I missing 
in
my logic?  Thanks all.


Thanks gents for the responses...rule may not be good and FP a lot, but 
very educational :)

James

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Rule assist James Lay (Mar 12)
- Re: Rule assist rmkml (Mar 12)
  - Re: Rule assist rmkml (Mar 12)
- Re: Rule assist Nathan Benson (Mar 12)
- Re: Rule assist James Lay (Mar 12)
  - Re: Rule assist Joel Esler (Mar 12)