[Oisf-users] Some errors in signtaures

Shirkdog shirkdog at gmail.com
Fri Jan 31 04:11:38 UTC 2014

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Possible Styx/Angler SilverLight Exploit";
flow:established,from_server; file_data; content:"PK"; within:2;
content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
classtype:trojan-activity; sid:2017732; rev:6;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
Plugin Download Server Response"; flow:from_server,established;
file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
classtype:trojan-activity; sid:2018036; rev:4;)

The within option in these signatures needs two preceding content
matches (per Suricata). Not sure where these patterns occur. If they
are at the beginning of the HTTP payload, probably should be
restricted to the HTTP body content.

Michael Shirk

More information about the Oisf-users mailing list