Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 7 May 2013 11:34:26 -0400
On May 6, 2013, at 5:31 PM, Nathan <nathan () packetmail net> wrote:

On May 6, 2013, at 13:37, Joel Esler <jesler () sourcefire com> wrote:


Looking at what you are intending here, I think you mean it the other way (HOME_NET -> $EXTERNAL_NET)


Neg, was looking for a compromised site serving it up to visitors and subsequent compromise with the fake Opera UA.  
Looking at local web compromise might be good/valid too.  I think waldo confused us :)


if that was the intention, then the rule should be written 

$HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (flow:to_client,established) yes?

Joel
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: