[Discussion] feedback on IDS rules improvements
Victor Julien
lists at inliniac.net
Tue Oct 15 09:41:41 UTC 2013
On 10/15/2013 10:04 AM, Victor Julien wrote:
>> alert udp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
>> > content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
>> > content:"|06|domain|03|com|00|"; fast_pattern; nocase;
>> > classtype:trojan-activity; sid:3000041; rev:1; priority:4;
>> > reference:url,http://localhost:8888/events/view/1;)
>> > alert tcp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
>> > content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
>> > content:"|06|domain|03|com|00|"; fast_pattern; nocase;
>> > flow:established; classtype:trojan-activity; sid:3000042; rev:1;
>> > priority:4; reference:url,http://localhost:8888/events/view/1;)
>> > alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
>> > HTTP Domain: domain.com"; flow:to_server,established; content:
>> > "Host|3a|"; nocase; http_header; content:"domain.com"; fast_pattern;
>> > nocase; http_header; pcre: "/[^A-Za-z0-9-]domain\.com[^A-Za-z0-9-]/H";
>> > tag:session,600,seconds; classtype:trojan-activity; sid:3000043;
>> > rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)
> You might want to try the dns_query keyword here:
> content:"hostname"; dns_query;
>
>
Correction here: dns_query acts like file_data, so it preceeds the
content and other keywords that should inspect this buffer. This way you
can use pcre, byte_test, isdataat, etc.
Example:
dns_query; content:"google.com"; nocase; pcre:"/google\.com$/i";
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Discussion
mailing list