[Oisf-users] Some errors in signtaures
Will Metcalf
william.metcalf at gmail.com
Fri Jan 31 05:04:14 UTC 2014
Hmmm Shirk are you sure you are using this set of rules. I see something in
the old version (non-1.3) of the rules that would fail on the new engine.
Regards,
Will
On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com> wrote:
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Possible Styx/Angler SilverLight Exploit";
> flow:established,from_server; file_data; content:"PK"; within:2;
> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
> classtype:trojan-activity; sid:2017732; rev:6;)
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
> Plugin Download Server Response"; flow:from_server,established;
> file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
> classtype:trojan-activity; sid:2018036; rev:4;)
>
>
> The within option in these signatures needs two preceding content
> matches (per Suricata). Not sure where these patterns occur. If they
> are at the beginning of the HTTP payload, probably should be
> restricted to the HTTP body content.
>
>
> ---
> Michael Shirk
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140130/4405ce74/attachment-0002.html>
More information about the Oisf-users
mailing list