[Oisf-users] Some errors in signtaures

Will Metcalf william.metcalf at gmail.com
Fri Jan 31 15:48:12 UTC 2014


What version of suri are you using? if 1.3 or greater you should use the
1.3 rules. Alternatively if you put your actually engine version in the URI
mod_rewrite magic will give you the correct ruleset i.e.

https://rules.emergingthreatspro.com/open/suricata-1.4.7/

The "suricata" rules are built for versions of suricata prior to 1.3, you
will have missed detection's and performance will not be as good as if you
use the later ruleset.

Regards,

Will


On Fri, Jan 31, 2014 at 9:42 AM, Shirkdog <shirkdog at gmail.com> wrote:

> I was pulling from here:
> https://rules.emergingthreatspro.com/open/suricata/
>
> Using PulledPork to grab open rules. However, it appears to be at a
> higher revision now so I will try again.
>
> ---
> Michael Shirk
>
>
> On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf
> <william.metcalf at gmail.com> wrote:
> > Hmmm Shirk are you sure you are using this set of rules. I see something
> in
> > the old version (non-1.3) of the rules that would fail on the new engine.
> >
> > Regards,
> >
> > Will
> >
> >
> > On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com> wrote:
> >>
> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> >> Possible Styx/Angler SilverLight Exploit";
> >> flow:established,from_server; file_data; content:"PK"; within:2;
> >> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
> >> classtype:trojan-activity; sid:2017732; rev:6;)
> >>
> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
> >> Plugin Download Server Response"; flow:from_server,established;
> >> file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
> >> classtype:trojan-activity; sid:2018036; rev:4;)
> >>
> >>
> >> The within option in these signatures needs two preceding content
> >> matches (per Suricata). Not sure where these patterns occur. If they
> >> are at the beginning of the HTTP payload, probably should be
> >> restricted to the HTTP body content.
> >>
> >>
> >> ---
> >> Michael Shirk
> >> _______________________________________________
> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/
> >> List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> OISF: http://www.openinfosecfoundation.org/
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140131/bf4a6bbe/attachment-0002.html>


More information about the Oisf-users mailing list