Re: Snort-sigs Digest, Vol 85, Issue 22

[James Lay <jlay () slave-tothe-box net>]

On 2013-06-26 16:11, John Cal wrote:
> On Wed, Jun 26, 2013 at 2:28 PM,
> <snort-sigs-request () lists sourceforge net [2]> wrote:
>
> > Yippee
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"MALWARE-CNC
> > W32.Trojan.PinkStats outbound connection";
> > flow:to_server,established;
> > content:"User-Agent: Google page|0D 0A|"; fast_pattern:only;
> > http_header; content:"/count.asp?mac="; http_uri; content:"&ver=";
> > http_uri; metadata:impact_flag red, policy balanced-ips drop,
> > policy
> > security-ips drop, service http;
>
> reference:url,http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html
> > [1];
> > classtype:trojan-activity; sid:10000083; rev:1;)
> >
> > Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania
> >
> > James
>
> James, are there any benefits to having your rule match the URI
> content before the UA content? I might need to read some additional
> material to understand the order on how a signature is read by Snort,
> but the correct flow would have the URI before the UA header,
> correct? 

I think that would normally be the case, but I'm thinking the 
fast_pattern checks to see if the UA is "Google page" first, then goes 
on with the rest of the check.  fast_pattern still confuses me 
too...what say you group, is that good reasoning for the UA to be 
checked before the URI?

James

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!