
<div dir="ltr">Hmmm Shirk are you sure you are using this set of rules. I see something in the old version (non-1.3) of the rules that would fail on the new engine. <div><br></div><div>Regards,</div><div><br></div><div>Will</div>

</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <span dir="ltr"><<a href="mailto:shirkdog@gmail.com" target="_blank">shirkdog@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS<br>

Possible Styx/Angler SilverLight Exploit";<br>

flow:established,from_server; file_data; content:"PK"; within:2;<br>

content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";<br>

classtype:trojan-activity; sid:2017732; rev:6;)<br>

<br>

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot<br>

Plugin Download Server Response"; flow:from_server,established;<br>

file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;<br>

classtype:trojan-activity; sid:2018036; rev:4;)<br>

<br>

<br>

The within option in these signatures needs two preceding content<br>

matches (per Suricata). Not sure where these patterns occur. If they<br>

are at the beginning of the HTTP payload, probably should be<br>

restricted to the HTTP body content.<br>

<br>

<br>

---<br>

Michael Shirk<br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

</blockquote></div><br></div>