Snort mailing list archives
Re: Are these rules from community.rules redundant?
From: Tyler Smith <tyler.smith () adventiumlabs com>
Date: Mon, 22 Jun 2015 11:02:31 -0500
Is this an error in community.rules, or is the redundancy intentional? -Tyler
On Jun 22, 2015, at 10:57 AM, Nick Randolph <drandolph () sourcefire com> wrote: Yes, in addition to sid:27628. On 06/22/2015 11:03 AM, Tyler Smith wrote:I was doing an evaluation of the community.rules made available on the Snort web page <https://www.snort.org/downloads/#rule-downloads>, and noticed these two rules: Rule @ line 2643: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; refere nce:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html <http://fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html>; classtype:trojan-activity; sid:27625; rev:2;) Rule @ line 2644: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ftp.documents.myPicture.info <ftp://ftp.documents.mypicture.info>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html <http://fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html>; classtype:trojan-activity; sid:27626; rev:2;) Doesn't the content option in the first rule (|09|documents|09|myPicture|04|info|00|) make the 2nd rule redundant? That is, the 1st rule will always trigger if the 2nd rule does because its content option is a substring of the 2nd's content option (|03|ftp|09|documents|09|myPicture|04|info|00|) Thanks, Tyler ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o <http://ad.doubleclick.net/ddm/clk/292181274;119417398;o> _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net <mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs> http://www.snort.org <http://www.snort.org/> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Are these rules from community.rules redundant? Tyler Smith (Jun 22)
- Re: Are these rules from community.rules redundant? Nick Randolph (Jun 22)
- Re: Are these rules from community.rules redundant? Tyler Smith (Jun 22)
- Re: Are these rules from community.rules redundant? Patrick Mullen (Jun 23)
- Re: Are these rules from community.rules redundant? Tyler Smith (Jun 22)
- Re: Are these rules from community.rules redundant? Nick Randolph (Jun 22)