[Oisf-users] How to find particular signature pattern to build rules

Wed Feb 4 06:15:16 UTC 2015

I am looking at some suricate rules, like "emerging-web_client.rules”, and try to figure out some of them how they are built, like this:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt”; 
flowbits:isset,ET.flash.pdf; 
flow:established,to_client; 
content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|”; 
reference:url,exploit-db.com/download_pdf/15077; 
classtype:attempted-user; 
sid:2011543; 
rev:5;)

The content pattern is just a sequence of HEX, how to pin point this HEX signature from tons of packages. Wireshark is a good tool, but it is still hard to find the particular signature like this. 

Liao