<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Yes, something like that, but I use a bad sample, the way they build the rule is put in the reference, I am trying to figure out how to get the identical signature from those HEX. like this: <h1 class="" style="font-family: Times;"><a name="SECTION00490000000000000000" class="">Writing Good Rules</a></h1><div class=""><br class=""></div><div class=""><a href="http://manual.snort.org/node36.html" class="">http://manual.snort.org/node36.html</a></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Liao</div><div class=""><br class=""></div><div><blockquote type="cite" class=""><div class="">On 4 Feb 2015, at 23:57, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu" class="">cnelson@ucsd.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">-----BEGIN PGP SIGNED MESSAGE-----<br class="">Hash: SHA1<br class=""><br class="">Not sure what you mean, the details of the exploit are in this reference:<br class=""><br class=""><blockquote type="cite" class=""><a href="http://exploit-db.com/download_pdf/15077" class="">http://exploit-db.com/download_pdf/15077</a><br class=""></blockquote><br class="">The ET team are just building the sig from that.<br class=""><br class="">- -Coop<br class=""><br class="">On 2/3/2015 10:15 PM, liao zhuodi wrote:<br class=""><blockquote type="cite" class="">I am looking at some suricate rules, like "emerging-web_client.rules”, and try to figure out some of them how they are built, like this:<br class=""><br class="">alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt”; <br class="">flowbits:isset,ET.flash.pdf; <br class="">flow:established,to_client; <br class="">content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|”; <br class="">reference:url,<a href="http://exploit-db.com/download_pdf/15077" class="">exploit-db.com/download_pdf/15077</a>; <br class="">classtype:attempted-user; <br class="">sid:2011543; <br class="">rev:5;)<br class=""><br class="">The content pattern is just a sequence of HEX, how to pin point this HEX signature from tons of packages. Wireshark is a good tool, but it is still hard to find the particular signature like this. <br class=""><br class="">Liao<br class=""><br class=""><br class=""><br class=""><br class=""><br class="">_______________________________________________<br class="">Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="">oisf-users@openinfosecfoundation.org</a><br class="">Site: <a href="http://suricata-ids.org" class="">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" class="">http://suricata-ids.org/support/</a><br class="">List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" class="">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br class="">Training now available: <a href="http://suricata-ids.org/training/" class="">http://suricata-ids.org/training/</a><br class=""><br class=""></blockquote><br class=""><br class="">- -- <br class="">Cooper Nelson<br class="">Network Security Analyst<br class="">UCSD ACT Security Team<br class=""><a href="mailto:cnelson@ucsd.edu" class="">cnelson@ucsd.edu</a> x41042<br class="">-----BEGIN PGP SIGNATURE-----<br class="">Version: GnuPG v2.0.17 (MingW32)<br class=""><br class="">iQEcBAEBAgAGBQJU0kF/AAoJEKIFRYQsa8FWU3UH/3UuNJMVjKY32LFQBQrg8Y6T<br class="">sJ6eQuMXG+czz6BPsnZruAYqBW3A33h+301J3V0AZCL7bEFn83d5GyOOuQIifJZJ<br class="">rK0qjU3t9ScVT9yZiL/XFwsnXC1MyXQEK0xz40QYzh3rbv7Ju4tQOZv/OD/YiD/K<br class="">JgcBnShIo9WnhwNAywbSzSPr/yWSGYD7QUQC1igJNcsj5jnyqKWmlQH0rLHJlgIF<br class="">2D8caamJHQvgGWrjwUz9HYFf4YFwEImEC8GYd740eY30lTknRlDfnPRRBFjUniWE<br class="">IsGIylB6DG8yHY4JwrntoqkKIOF4inWjXFtFnNtWXwdf/6VMinY0/Nymm5J8DAQ=<br class="">=BEG1<br class="">-----END PGP SIGNATURE-----<br class=""><br class=""></div></blockquote></div><br class=""></body></html>