[Oisf-users] Some errors in signtaures

Will Metcalf william.metcalf at gmail.com
Fri Jan 31 20:26:44 UTC 2014 

curl
https://rules.emergingthreats.net/open/suricata-1.4.6/emerging-all.rules |
grep -P "sid\:(2017732|2018036)\x3b"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time
 Current
                                 Dload  Upload   Total   Spent    Left
 Speed
 97 7347k   97 7168k    0     0  1140k      0  0:00:06  0:00:06 --:--:--
1190kalert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Possible Styx/Angler SilverLight Exploit"; flow:established,from_server;
file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern;
content:"AppManifest.xaml"; classtype:trojan-activity; sid:2017732; rev:6;)
100 7347k  100 7347k    0     0  1142k      0  0:00:06  0:00:06 --:--:--
1192k
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
Plugin Download Server Response"; flow:from_server,established; file_data;
content:"SOLAR|00|"; within:6; content:"MZP"; distance:0;
classtype:trojan-activity; sid:2018036; rev:5;)



On Fri, Jan 31, 2014 at 2:07 PM, Shirkdog <shirkdog at gmail.com> wrote:

> Might put this over to the Emerging list (but since they are on here),
> it looks like the emerging.rules.tar.gz is not inline with the
> emerging-all.rules file when I hit suricata-1.4.6. I checked the
> emerging-all.rules and these two signatures are not present. They
> exist only in the tar file which is used by pulled pork to verify md5
> hashes when downloading new signatures.
>
>
>
> ---
> Michael Shirk
>
>
> On Fri, Jan 31, 2014 at 10:59 AM, Shirkdog <shirkdog at gmail.com> wrote:
> > I am upgrading to 1.4.7 but I will test with 1.4.6 to see if that
> > works on the URI.
> >
> > ---
> > Michael Shirk
> >
> >
> > On Fri, Jan 31, 2014 at 10:48 AM, Will Metcalf
> > <william.metcalf at gmail.com> wrote:
> >> What version of suri are you using? if 1.3 or greater you should use
> the 1.3
> >> rules. Alternatively if you put your actually engine version in the URI
> >> mod_rewrite magic will give you the correct ruleset i.e.
> >>
> >> https://rules.emergingthreatspro.com/open/suricata-1.4.7/
> >>
> >> The "suricata" rules are built for versions of suricata prior to 1.3,
> you
> >> will have missed detection's and performance will not be as good as if
> you
> >> use the later ruleset.
> >>
> >> Regards,
> >>
> >> Will
> >>
> >>
> >> On Fri, Jan 31, 2014 at 9:42 AM, Shirkdog <shirkdog at gmail.com> wrote:
> >>>
> >>> I was pulling from here:
> >>> https://rules.emergingthreatspro.com/open/suricata/
> >>>
> >>> Using PulledPork to grab open rules. However, it appears to be at a
> >>> higher revision now so I will try again.
> >>>
> >>> ---
> >>> Michael Shirk
> >>>
> >>>
> >>> On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf
> >>> <william.metcalf at gmail.com> wrote:
> >>> > Hmmm Shirk are you sure you are using this set of rules. I see
> something
> >>> > in
> >>> > the old version (non-1.3) of the rules that would fail on the new
> >>> > engine.
> >>> >
> >>> > Regards,
> >>> >
> >>> > Will
> >>> >
> >>> >
> >>> > On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com>
> wrote:
> >>> >>
> >>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS
> >>> >> Possible Styx/Angler SilverLight Exploit";
> >>> >> flow:established,from_server; file_data; content:"PK"; within:2;
> >>> >> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
> >>> >> classtype:trojan-activity; sid:2017732; rev:6;)
> >>> >>
> >>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> SolarBot
> >>> >> Plugin Download Server Response"; flow:from_server,established;
> >>> >> file_data; content:"SOLAR|2e|"; within:6; content:"MZP"; distance:0;
> >>> >> classtype:trojan-activity; sid:2018036; rev:4;)
> >>> >>
> >>> >>
> >>> >> The within option in these signatures needs two preceding content
> >>> >> matches (per Suricata). Not sure where these patterns occur. If they
> >>> >> are at the beginning of the HTTP payload, probably should be
> >>> >> restricted to the HTTP body content.
> >>> >>
> >>> >>
> >>> >> ---
> >>> >> Michael Shirk
> >>> >> _______________________________________________
> >>> >> Suricata IDS Users mailing list:
> oisf-users at openinfosecfoundation.org
> >>> >> Site: http://suricata-ids.org | Support:
> >>> >> http://suricata-ids.org/support/
> >>> >> List:
> >>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >>> >> OISF: http://www.openinfosecfoundation.org/
> >>> >
> >>> >
> >>
> >>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140131/f2f8fbcc/attachment-0002.html>

More information about the Oisf-users mailing list