[Oisf-users] Some errors in signtaures
Shirkdog
shirkdog at gmail.com
Fri Jan 31 20:07:56 UTC 2014
Might put this over to the Emerging list (but since they are on here),
it looks like the emerging.rules.tar.gz is not inline with the
emerging-all.rules file when I hit suricata-1.4.6. I checked the
emerging-all.rules and these two signatures are not present. They
exist only in the tar file which is used by pulled pork to verify md5
hashes when downloading new signatures.
---
Michael Shirk
On Fri, Jan 31, 2014 at 10:59 AM, Shirkdog <shirkdog at gmail.com> wrote:
> I am upgrading to 1.4.7 but I will test with 1.4.6 to see if that
> works on the URI.
>
> ---
> Michael Shirk
>
>
> On Fri, Jan 31, 2014 at 10:48 AM, Will Metcalf
> <william.metcalf at gmail.com> wrote:
>> What version of suri are you using? if 1.3 or greater you should use the 1.3
>> rules. Alternatively if you put your actually engine version in the URI
>> mod_rewrite magic will give you the correct ruleset i.e.
>>
>> https://rules.emergingthreatspro.com/open/suricata-1.4.7/
>>
>> The "suricata" rules are built for versions of suricata prior to 1.3, you
>> will have missed detection's and performance will not be as good as if you
>> use the later ruleset.
>>
>> Regards,
>>
>> Will
>>
>>
>> On Fri, Jan 31, 2014 at 9:42 AM, Shirkdog <shirkdog at gmail.com> wrote:
>>>
>>> I was pulling from here:
>>> https://rules.emergingthreatspro.com/open/suricata/
>>>
>>> Using PulledPork to grab open rules. However, it appears to be at a
>>> higher revision now so I will try again.
>>>
>>> ---
>>> Michael Shirk
>>>
>>>
>>> On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf
>>> <william.metcalf at gmail.com> wrote:
>>> > Hmmm Shirk are you sure you are using this set of rules. I see something
>>> > in
>>> > the old version (non-1.3) of the rules that would fail on the new
>>> > engine.
>>> >
>>> > Regards,
>>> >
>>> > Will
>>> >
>>> >
>>> > On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>> >>
>>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>>> >> Possible Styx/Angler SilverLight Exploit";
>>> >> flow:established,from_server; file_data; content:"PK"; within:2;
>>> >> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
>>> >> classtype:trojan-activity; sid:2017732; rev:6;)
>>> >>
>>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
>>> >> Plugin Download Server Response"; flow:from_server,established;
>>> >> file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
>>> >> classtype:trojan-activity; sid:2018036; rev:4;)
>>> >>
>>> >>
>>> >> The within option in these signatures needs two preceding content
>>> >> matches (per Suricata). Not sure where these patterns occur. If they
>>> >> are at the beginning of the HTTP payload, probably should be
>>> >> restricted to the HTTP body content.
>>> >>
>>> >>
>>> >> ---
>>> >> Michael Shirk
>>> >> _______________________________________________
>>> >> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> >> Site: http://suricata-ids.org | Support:
>>> >> http://suricata-ids.org/support/
>>> >> List:
>>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >> OISF: http://www.openinfosecfoundation.org/
>>> >
>>> >
>>
>>
More information about the Oisf-users
mailing list