[Oisf-users] How to find particular signature pattern to build rules

Cooper F. Nelson cnelson at ucsd.edu
Wed Feb 4 15:57:51 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not sure what you mean, the details of the exploit are in this reference:

> http://exploit-db.com/download_pdf/15077

The ET team are just building the sig from that.

- -Coop

On 2/3/2015 10:15 PM, liao zhuodi wrote:
> I am looking at some suricate rules, like "emerging-web_client.rules”, and try to figure out some of them how they are built, like this:
> 
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt”; 
> flowbits:isset,ET.flash.pdf; 
> flow:established,to_client; 
> content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|”; 
> reference:url,exploit-db.com/download_pdf/15077; 
> classtype:attempted-user; 
> sid:2011543; 
> rev:5;)
> 
> The content pattern is just a sequence of HEX, how to pin point this HEX signature from tons of packages. Wireshark is a good tool, but it is still hard to find the particular signature like this. 
> 
> Liao
> 
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
> 


- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJU0kF/AAoJEKIFRYQsa8FWU3UH/3UuNJMVjKY32LFQBQrg8Y6T
sJ6eQuMXG+czz6BPsnZruAYqBW3A33h+301J3V0AZCL7bEFn83d5GyOOuQIifJZJ
rK0qjU3t9ScVT9yZiL/XFwsnXC1MyXQEK0xz40QYzh3rbv7Ju4tQOZv/OD/YiD/K
JgcBnShIo9WnhwNAywbSzSPr/yWSGYD7QUQC1igJNcsj5jnyqKWmlQH0rLHJlgIF
2D8caamJHQvgGWrjwUz9HYFf4YFwEImEC8GYd740eY30lTknRlDfnPRRBFjUniWE
IsGIylB6DG8yHY4JwrntoqkKIOF4inWjXFtFnNtWXwdf/6VMinY0/Nymm5J8DAQ=
=BEG1
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list