[Oisf-users] Some errors in signtaures

Shirkdog shirkdog at gmail.com
Fri Jan 31 15:42:40 UTC 2014


I was pulling from here:
https://rules.emergingthreatspro.com/open/suricata/

Using PulledPork to grab open rules. However, it appears to be at a
higher revision now so I will try again.

---
Michael Shirk


On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf
<william.metcalf at gmail.com> wrote:
> Hmmm Shirk are you sure you are using this set of rules. I see something in
> the old version (non-1.3) of the rules that would fail on the new engine.
>
> Regards,
>
> Will
>
>
> On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Possible Styx/Angler SilverLight Exploit";
>> flow:established,from_server; file_data; content:"PK"; within:2;
>> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
>> classtype:trojan-activity; sid:2017732; rev:6;)
>>
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
>> Plugin Download Server Response"; flow:from_server,established;
>> file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
>> classtype:trojan-activity; sid:2018036; rev:4;)
>>
>>
>> The within option in these signatures needs two preceding content
>> matches (per Suricata). Not sure where these patterns occur. If they
>> are at the beginning of the HTTP payload, probably should be
>> restricted to the HTTP body content.
>>
>>
>> ---
>> Michael Shirk
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>



More information about the Oisf-users mailing list