[Oisf-users] Some errors in signtaures
Shirkdog
shirkdog at gmail.com
Fri Jan 31 04:11:38 UTC 2014
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Possible Styx/Angler SilverLight Exploit";
flow:established,from_server; file_data; content:"PK"; within:2;
content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
classtype:trojan-activity; sid:2017732; rev:6;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
Plugin Download Server Response"; flow:from_server,established;
file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
classtype:trojan-activity; sid:2018036; rev:4;)
The within option in these signatures needs two preceding content
matches (per Suricata). Not sure where these patterns occur. If they
are at the beginning of the HTTP payload, probably should be
restricted to the HTTP body content.
---
Michael Shirk
More information about the Oisf-users
mailing list