Snort mailing list archives
Re: Sid 21858
From: Oscar A <o_ama_lo () hotmail com>
Date: Wed, 15 Oct 2014 16:57:45 -0500
Hi, this is the .pcap Regards! From: o_ama_lo () hotmail com To: jesler () cisco com Subject: RE: [Snort-sigs] Sid 21858 Date: Wed, 15 Oct 2014 15:35:04 -0500 Thanks very much, I have the pcap From: jesler () cisco com To: o_ama_lo () hotmail com CC: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Sid 21858 Date: Wed, 15 Oct 2014 20:09:13 +0000 since the second content match is a “fast_pattern:only”, it’s case insensitive. So uppercase, lowercase, doesn’t matter. This would be a lot easier if you could send a pcap for us to look at. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos On Oct 15, 2014, at 2:23 PM, Oscar A <o_ama_lo () hotmail com> wrote:Hi, can somebody help me please, I find only exact matches for the first content content:"|FF|SMB|A2 00 00 00 00|"; But for the second content only match the first 2 hexadecimal values content:"m|00|s|00|i|00|e|00|x|00|e|00|c|00|.|00|e|00|x|00|e|00 00 00|" It is not supouse that all content matches must be true for the rule to trigger an event, that is, each content match has an AND relationship with the others? So why drop events are triggering only when the first content is matched? Im having this match 4d 00 53 00 49 00 45 00 58 00 45 00 43 00 2E 00 45 00 58 00 45 (00 22 00) but the m s i e x e c . e x e are in upper case and the last three 00 00 00 between parentesis are not maching Regards! ------------------------------------------------------------------------------Comprehensive Server Monitoring with Site24x7.Monitor 10 servers for $9/Month.Get alerted through email, SMS, voice calls or mobile push notifications.Take corrective actions from your mobile device.http://p.sf.net/sfu/Zoho_______________________________________________Snort-sigs mailing listSnort-sigs@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/snort-sigshttp://www.snort.orgPlease visit http://blog.snort.org for the latest news about Snort!
Attachment:
request_1413385474.rar
Description:
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sid 21858 Oscar A (Oct 15)
- Re: Sid 21858 Joel Esler (jesler) (Oct 15)
- Message not available
- Re: Sid 21858 Oscar A (Oct 15)
- Message not available
- Re: Sid 21858 Joel Esler (jesler) (Oct 15)