Snort mailing list archives
Re: Rig Exploit Kit outbound URI request signature
From: Geoffrey Serrao <gserrao () sourcefire com>
Date: Thu, 10 Jul 2014 12:39:59 -0400
Excellent point Nathan. My only concern would be entering the PCRE too often (slight concern). Ideally I'd like to include at least a 'depth' modifier or 'urilen' before the content match. We shall see what comes out of testing! On Thu, Jul 10, 2014 at 12:20 PM, lists () packetmail net <lists () packetmail net
wrote:
On 07/10/2014 11:03 AM, Geoffrey Serrao wrote:I've put into testing two rules which should cover both cases.I wouldn't fixate on the names in the .html files, they vary. This is what Ify, Will, and I came up with on the Emerging-Threats side: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS food.com compromise hostile JavaScript gate"; flow:established,to_server; content:".html?0."; http_uri; fast_pattern:only; pcre:"/\/[a-z]{1,3}\.html\?0\.[0-9]+[a-z]?$/U"; classtype:trojan-activity; sid:2018505; rev:4;) Hmm, that's strange, the [a-z] should be {1,6} not {1,3} -- letting Will know now. Cheers, Nathan Fowler
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- <Possible follow-ups>
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)