[Oisf-users] Some errors in signtaures
Shirkdog
shirkdog at gmail.com
Fri Jan 31 15:59:22 UTC 2014
I am upgrading to 1.4.7 but I will test with 1.4.6 to see if that
works on the URI.
---
Michael Shirk
On Fri, Jan 31, 2014 at 10:48 AM, Will Metcalf
<william.metcalf at gmail.com> wrote:
> What version of suri are you using? if 1.3 or greater you should use the 1.3
> rules. Alternatively if you put your actually engine version in the URI
> mod_rewrite magic will give you the correct ruleset i.e.
>
> https://rules.emergingthreatspro.com/open/suricata-1.4.7/
>
> The "suricata" rules are built for versions of suricata prior to 1.3, you
> will have missed detection's and performance will not be as good as if you
> use the later ruleset.
>
> Regards,
>
> Will
>
>
> On Fri, Jan 31, 2014 at 9:42 AM, Shirkdog <shirkdog at gmail.com> wrote:
>>
>> I was pulling from here:
>> https://rules.emergingthreatspro.com/open/suricata/
>>
>> Using PulledPork to grab open rules. However, it appears to be at a
>> higher revision now so I will try again.
>>
>> ---
>> Michael Shirk
>>
>>
>> On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf
>> <william.metcalf at gmail.com> wrote:
>> > Hmmm Shirk are you sure you are using this set of rules. I see something
>> > in
>> > the old version (non-1.3) of the rules that would fail on the new
>> > engine.
>> >
>> > Regards,
>> >
>> > Will
>> >
>> >
>> > On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com> wrote:
>> >>
>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> >> Possible Styx/Angler SilverLight Exploit";
>> >> flow:established,from_server; file_data; content:"PK"; within:2;
>> >> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
>> >> classtype:trojan-activity; sid:2017732; rev:6;)
>> >>
>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
>> >> Plugin Download Server Response"; flow:from_server,established;
>> >> file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
>> >> classtype:trojan-activity; sid:2018036; rev:4;)
>> >>
>> >>
>> >> The within option in these signatures needs two preceding content
>> >> matches (per Suricata). Not sure where these patterns occur. If they
>> >> are at the beginning of the HTTP payload, probably should be
>> >> restricted to the HTTP body content.
>> >>
>> >>
>> >> ---
>> >> Michael Shirk
>> >> _______________________________________________
>> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> >> Site: http://suricata-ids.org | Support:
>> >> http://suricata-ids.org/support/
>> >> List:
>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >> OISF: http://www.openinfosecfoundation.org/
>> >
>> >
>
>
More information about the Oisf-users
mailing list