[Discussion] feedback on IDS rules improvements

• Previous message (by thread): [Discussion] feedback on IDS rules improvements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/15/2013 10:04 AM, Victor Julien wrote:
>> alert udp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
>> > content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
>> > content:"|06|domain|03|com|00|"; fast_pattern; nocase;
>> > classtype:trojan-activity; sid:3000041; rev:1; priority:4;
>> > reference:url,http://localhost:8888/events/view/1;)
>> > alert tcp any any -> any 53 (msg: "MISP e1 Domain: domain.com";
>> > content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
>> > content:"|06|domain|03|com|00|"; fast_pattern; nocase;
>> > flow:established;  classtype:trojan-activity; sid:3000042; rev:1;
>> > priority:4; reference:url,http://localhost:8888/events/view/1;)
>> > alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1 Outgoing
>> > HTTP Domain: domain.com"; flow:to_server,established; content:
>> > "Host|3a|"; nocase; http_header; content:"domain.com"; fast_pattern;
>> > nocase; http_header; pcre: "/[^A-Za-z0-9-]domain\.com[^A-Za-z0-9-]/H";
>> > tag:session,600,seconds; classtype:trojan-activity; sid:3000043;
>> > rev:1; priority:4; reference:url,http://localhost:8888/events/view/1;)
> You might want to try the dns_query keyword here:
> content:"hostname"; dns_query;
> 
> 

Correction here: dns_query acts like file_data, so it preceeds the
content and other keywords that should inspect this buffer. This way you
can use pcre, byte_test, isdataat, etc.

Example:
dns_query; content:"google.com"; nocase; pcre:"/google\.com$/i";

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

• Previous message (by thread): [Discussion] feedback on IDS rules improvements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]