[Oisf-users] Some errors in signtaures

Shirkdog shirkdog at gmail.com
Fri Jan 31 20:33:49 UTC 2014 

Roger, my Internets is slow. It has file_data so it will work.
Nevermind the noise :)

---
Michael Shirk


On Fri, Jan 31, 2014 at 3:26 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
> curl
> https://rules.emergingthreats.net/open/suricata-1.4.6/emerging-all.rules |
> grep -P "sid\:(2017732|2018036)\x3b"
>   % Total    % Received % Xferd  Average Speed   Time    Time     Time
> Current
>                                  Dload  Upload   Total   Spent    Left
> Speed
>  97 7347k   97 7168k    0     0  1140k      0  0:00:06  0:00:06 --:--:--
> 1190kalert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Possible Styx/Angler SilverLight Exploit"; flow:established,from_server;
> file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern;
> content:"AppManifest.xaml"; classtype:trojan-activity; sid:2017732; rev:6;)
> 100 7347k  100 7347k    0     0  1142k      0  0:00:06  0:00:06 --:--:--
> 1192k
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
> Plugin Download Server Response"; flow:from_server,established; file_data;
> content:"SOLAR|00|"; within:6; content:"MZP"; distance:0;
> classtype:trojan-activity; sid:2018036; rev:5;)
>
>
>
> On Fri, Jan 31, 2014 at 2:07 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>
>> Might put this over to the Emerging list (but since they are on here),
>> it looks like the emerging.rules.tar.gz is not inline with the
>> emerging-all.rules file when I hit suricata-1.4.6. I checked the
>> emerging-all.rules and these two signatures are not present. They
>> exist only in the tar file which is used by pulled pork to verify md5
>> hashes when downloading new signatures.
>>
>>
>>
>> ---
>> Michael Shirk
>>
>>
>> On Fri, Jan 31, 2014 at 10:59 AM, Shirkdog <shirkdog at gmail.com> wrote:
>> > I am upgrading to 1.4.7 but I will test with 1.4.6 to see if that
>> > works on the URI.
>> >
>> > ---
>> > Michael Shirk
>> >
>> >
>> > On Fri, Jan 31, 2014 at 10:48 AM, Will Metcalf
>> > <william.metcalf at gmail.com> wrote:
>> >> What version of suri are you using? if 1.3 or greater you should use
>> >> the 1.3
>> >> rules. Alternatively if you put your actually engine version in the URI
>> >> mod_rewrite magic will give you the correct ruleset i.e.
>> >>
>> >> https://rules.emergingthreatspro.com/open/suricata-1.4.7/
>> >>
>> >> The "suricata" rules are built for versions of suricata prior to 1.3,
>> >> you
>> >> will have missed detection's and performance will not be as good as if
>> >> you
>> >> use the later ruleset.
>> >>
>> >> Regards,
>> >>
>> >> Will
>> >>
>> >>
>> >> On Fri, Jan 31, 2014 at 9:42 AM, Shirkdog <shirkdog at gmail.com> wrote:
>> >>>
>> >>> I was pulling from here:
>> >>> https://rules.emergingthreatspro.com/open/suricata/
>> >>>
>> >>> Using PulledPork to grab open rules. However, it appears to be at a
>> >>> higher revision now so I will try again.
>> >>>
>> >>> ---
>> >>> Michael Shirk
>> >>>
>> >>>
>> >>> On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf
>> >>> <william.metcalf at gmail.com> wrote:
>> >>> > Hmmm Shirk are you sure you are using this set of rules. I see
>> >>> > something
>> >>> > in
>> >>> > the old version (non-1.3) of the rules that would fail on the new
>> >>> > engine.
>> >>> >
>> >>> > Regards,
>> >>> >
>> >>> > Will
>> >>> >
>> >>> >
>> >>> > On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET
>> >>> >> CURRENT_EVENTS
>> >>> >> Possible Styx/Angler SilverLight Exploit";
>> >>> >> flow:established,from_server; file_data; content:"PK"; within:2;
>> >>> >> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
>> >>> >> classtype:trojan-activity; sid:2017732; rev:6;)
>> >>> >>
>> >>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
>> >>> >> SolarBot
>> >>> >> Plugin Download Server Response"; flow:from_server,established;
>> >>> >> file_data; content:"SOLAR|2e|"; within:6; content:"MZP";
>> >>> >> distance:0;
>> >>> >> classtype:trojan-activity; sid:2018036; rev:4;)
>> >>> >>
>> >>> >>
>> >>> >> The within option in these signatures needs two preceding content
>> >>> >> matches (per Suricata). Not sure where these patterns occur. If
>> >>> >> they
>> >>> >> are at the beginning of the HTTP payload, probably should be
>> >>> >> restricted to the HTTP body content.
>> >>> >>
>> >>> >>
>> >>> >> ---
>> >>> >> Michael Shirk
>> >>> >> _______________________________________________
>> >>> >> Suricata IDS Users mailing list:
>> >>> >> oisf-users at openinfosecfoundation.org
>> >>> >> Site: http://suricata-ids.org | Support:
>> >>> >> http://suricata-ids.org/support/
>> >>> >> List:
>> >>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >>> >> OISF: http://www.openinfosecfoundation.org/
>> >>> >
>> >>> >
>> >>
>> >>
>
>

More information about the Oisf-users mailing list