[Oisf-users] Some errors in signtaures

Shirkdog shirkdog at gmail.com
Fri Jan 31 20:56:47 UTC 2014 

I forgot to mention for anyone using PulledPork with Suricata, to make
this work, you just need to pass in the -S option on the command line:

-S suricata-1.4.7

The standard entry for emergingthreats will work fine in pulledpork.conf

---
Michael Shirk


On Fri, Jan 31, 2014 at 3:33 PM, Shirkdog <shirkdog at gmail.com> wrote:
> Roger, my Internets is slow. It has file_data so it will work.
> Nevermind the noise :)
>
> ---
> Michael Shirk
>
>
> On Fri, Jan 31, 2014 at 3:26 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
>> curl
>> https://rules.emergingthreats.net/open/suricata-1.4.6/emerging-all.rules |
>> grep -P "sid\:(2017732|2018036)\x3b"
>>   % Total    % Received % Xferd  Average Speed   Time    Time     Time
>> Current
>>                                  Dload  Upload   Total   Spent    Left
>> Speed
>>  97 7347k   97 7168k    0     0  1140k      0  0:00:06  0:00:06 --:--:--
>> 1190kalert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Possible Styx/Angler SilverLight Exploit"; flow:established,from_server;
>> file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern;
>> content:"AppManifest.xaml"; classtype:trojan-activity; sid:2017732; rev:6;)
>> 100 7347k  100 7347k    0     0  1142k      0  0:00:06  0:00:06 --:--:--
>> 1192k
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SolarBot
>> Plugin Download Server Response"; flow:from_server,established; file_data;
>> content:"SOLAR|00|"; within:6; content:"MZP"; distance:0;
>> classtype:trojan-activity; sid:2018036; rev:5;)
>>
>>
>>
>> On Fri, Jan 31, 2014 at 2:07 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>>
>>> Might put this over to the Emerging list (but since they are on here),
>>> it looks like the emerging.rules.tar.gz is not inline with the
>>> emerging-all.rules file when I hit suricata-1.4.6. I checked the
>>> emerging-all.rules and these two signatures are not present. They
>>> exist only in the tar file which is used by pulled pork to verify md5
>>> hashes when downloading new signatures.
>>>
>>>
>>>
>>> ---
>>> Michael Shirk
>>>
>>>
>>> On Fri, Jan 31, 2014 at 10:59 AM, Shirkdog <shirkdog at gmail.com> wrote:
>>> > I am upgrading to 1.4.7 but I will test with 1.4.6 to see if that
>>> > works on the URI.
>>> >
>>> > ---
>>> > Michael Shirk
>>> >
>>> >
>>> > On Fri, Jan 31, 2014 at 10:48 AM, Will Metcalf
>>> > <william.metcalf at gmail.com> wrote:
>>> >> What version of suri are you using? if 1.3 or greater you should use
>>> >> the 1.3
>>> >> rules. Alternatively if you put your actually engine version in the URI
>>> >> mod_rewrite magic will give you the correct ruleset i.e.
>>> >>
>>> >> https://rules.emergingthreatspro.com/open/suricata-1.4.7/
>>> >>
>>> >> The "suricata" rules are built for versions of suricata prior to 1.3,
>>> >> you
>>> >> will have missed detection's and performance will not be as good as if
>>> >> you
>>> >> use the later ruleset.
>>> >>
>>> >> Regards,
>>> >>
>>> >> Will
>>> >>
>>> >>
>>> >> On Fri, Jan 31, 2014 at 9:42 AM, Shirkdog <shirkdog at gmail.com> wrote:
>>> >>>
>>> >>> I was pulling from here:
>>> >>> https://rules.emergingthreatspro.com/open/suricata/
>>> >>>
>>> >>> Using PulledPork to grab open rules. However, it appears to be at a
>>> >>> higher revision now so I will try again.
>>> >>>
>>> >>> ---
>>> >>> Michael Shirk
>>> >>>
>>> >>>
>>> >>> On Fri, Jan 31, 2014 at 12:04 AM, Will Metcalf
>>> >>> <william.metcalf at gmail.com> wrote:
>>> >>> > Hmmm Shirk are you sure you are using this set of rules. I see
>>> >>> > something
>>> >>> > in
>>> >>> > the old version (non-1.3) of the rules that would fail on the new
>>> >>> > engine.
>>> >>> >
>>> >>> > Regards,
>>> >>> >
>>> >>> > Will
>>> >>> >
>>> >>> >
>>> >>> > On Thu, Jan 30, 2014 at 10:11 PM, Shirkdog <shirkdog at gmail.com>
>>> >>> > wrote:
>>> >>> >>
>>> >>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET
>>> >>> >> CURRENT_EVENTS
>>> >>> >> Possible Styx/Angler SilverLight Exploit";
>>> >>> >> flow:established,from_server; file_data; content:"PK"; within:2;
>>> >>> >> content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml";
>>> >>> >> classtype:trojan-activity; sid:2017732; rev:6;)
>>> >>> >>
>>> >>> >> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
>>> >>> >> SolarBot
>>> >>> >> Plugin Download Server Response"; flow:from_server,established;
>>> >>> >> file_data; content:"SOLAR|2e|"; within:6; content:"MZP";
>>> >>> >> distance:0;
>>> >>> >> classtype:trojan-activity; sid:2018036; rev:4;)
>>> >>> >>
>>> >>> >>
>>> >>> >> The within option in these signatures needs two preceding content
>>> >>> >> matches (per Suricata). Not sure where these patterns occur. If
>>> >>> >> they
>>> >>> >> are at the beginning of the HTTP payload, probably should be
>>> >>> >> restricted to the HTTP body content.
>>> >>> >>
>>> >>> >>
>>> >>> >> ---
>>> >>> >> Michael Shirk
>>> >>> >> _______________________________________________
>>> >>> >> Suricata IDS Users mailing list:
>>> >>> >> oisf-users at openinfosecfoundation.org
>>> >>> >> Site: http://suricata-ids.org | Support:
>>> >>> >> http://suricata-ids.org/support/
>>> >>> >> List:
>>> >>> >> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >>> >> OISF: http://www.openinfosecfoundation.org/
>>> >>> >
>>> >>> >
>>> >>
>>> >>
>>
>>

More information about the Oisf-users mailing list