<div dir="ltr"><div>curl <a href="https://rules.emergingthreats.net/open/suricata-1.4.6/emerging-all.rules">https://rules.emergingthreats.net/open/suricata-1.4.6/emerging-all.rules</a> | grep -P "sid\:(2017732|2018036)\x3b"</div>
<div> % Total % Received % Xferd Average Speed Time Time Time Current</div><div> Dload Upload Total Spent Left Speed</div><div> 97 7347k 97 7168k 0 0 1140k 0 0:00:06 0:00:06 --:--:-- 1190kalert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Styx/Angler SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:trojan-activity; sid:2017732; rev:6;)</div>
<div>100 7347k 100 7347k 0 0 1142k 0 0:00:06 0:00:06 --:--:-- 1192k</div><div>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR|00|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:5;)</div>
<div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 31, 2014 at 2:07 PM, Shirkdog <span dir="ltr"><<a href="mailto:shirkdog@gmail.com" target="_blank">shirkdog@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Might put this over to the Emerging list (but since they are on here),<br>
it looks like the emerging.rules.tar.gz is not inline with the<br>
emerging-all.rules file when I hit suricata-1.4.6. I checked the<br>
emerging-all.rules and these two signatures are not present. They<br>
exist only in the tar file which is used by pulled pork to verify md5<br>
hashes when downloading new signatures.<br>
<br>
<br>
<br>
---<br>
Michael Shirk<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Fri, Jan 31, 2014 at 10:59 AM, Shirkdog <<a href="mailto:shirkdog@gmail.com">shirkdog@gmail.com</a>> wrote:<br>
> I am upgrading to 1.4.7 but I will test with 1.4.6 to see if that<br>
> works on the URI.<br>
><br>
> ---<br>
> Michael Shirk<br>
><br>
><br>
> On Fri, Jan 31, 2014 at 10:48 AM, Will Metcalf<br>
> <<a href="mailto:william.metcalf@gmail.com">william.metcalf@gmail.com</a>> wrote:<br>
>> What version of suri are you using? if 1.3 or greater you should use the 1.3<br>
>> rules. Alternatively if you put your actually engine version in the URI<br>
>> mod_rewrite magic will give you the correct ruleset i.e.<br>
>><br>
>> <a href="https://rules.emergingthreatspro.com/open/suricata-1.4.7/" target="_blank">https://rules.emergingthreatspro.com/open/suricata-1.4.7/</a><br>
>><br>
>> The "suricata" rules are built for versions of suricata prior to 1.3, you<br>
>> will have missed detection's and performance will not be as good as if you<br>
>> use the later ruleset.<br>
>><br>
>> Regards,<br>
>><br>
>> Will<br>
>><br>
>><br>
>> On Fri, Jan 31, 2014 at 9:42 AM, Shirkdog <<a href="mailto:shirkdog@gmail.com">shirkdog@gmail.com</a>> wrote:<br>
>>><br>
>>> I was pulling from here:<br>
>>> <a href="https://rules.emergingthreatspro.com/open/suricata/" target="_blank">https://rules.emergingthreatspro.com/open/suricata/</a><br>
>>><br>
>>> Using PulledPork to grab open rules. However, it appears to be at a<br>
>>> higher revision now so I will try again.<br>
>>><br>
>>> ---<br>
>>> Michael Shirk<br>
>>><br>
>>><br>
>>> On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf<br>
>>> <<a href="mailto:william.metcalf@gmail.com">william.metcalf@gmail.com</a>> wrote:<br>
>>> > Hmmm Shirk are you sure you are using this set of rules. I see something<br>
>>> > in<br>
>>> > the old version (non-1.3) of the rules that would fail on the new<br>
>>> > engine.<br>
>>> ><br>
>>> > Regards,<br>
>>> ><br>
>>> > Will<br>
>>> ><br>
>>> ><br>
>>> > On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <<a href="mailto:shirkdog@gmail.com">shirkdog@gmail.com</a>> wrote:<br>
>>> >><br>
>>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS<br>
>>> >> Possible Styx/Angler SilverLight Exploit";<br>
>>> >> flow:established,from_server; file_data; content:"PK"; within:2;<br>
>>> >> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";<br>
>>> >> classtype:trojan-activity; sid:2017732; rev:6;)<br>
>>> >><br>
>>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot<br>
>>> >> Plugin Download Server Response"; flow:from_server,established;<br>
>>> >> file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;<br>
>>> >> classtype:trojan-activity; sid:2018036; rev:4;)<br>
>>> >><br>
>>> >><br>
>>> >> The within option in these signatures needs two preceding content<br>
>>> >> matches (per Suricata). Not sure where these patterns occur. If they<br>
>>> >> are at the beginning of the HTTP payload, probably should be<br>
>>> >> restricted to the HTTP body content.<br>
>>> >><br>
>>> >><br>
>>> >> ---<br>
>>> >> Michael Shirk<br>
>>> >> _______________________________________________<br>
>>> >> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>>> >> Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
>>> >> <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>>> >> List:<br>
>>> >> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>>> >> OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
>>> ><br>
>>> ><br>
>><br>
>><br>
</div></div></blockquote></div><br></div>