[Oisf-users] How to find particular signature pattern to build rules

Fri Feb 6 05:56:36 UTC 2015

Yes, something like that, but I use a bad sample, the way they build the rule is put in the reference, I am trying to figure out how to get the identical signature from those HEX. like this: 
Writing Good Rules <>

http://manual.snort.org/node36.html <http://manual.snort.org/node36.html>

Liao

> On 4 Feb 2015, at 23:57, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Not sure what you mean, the details of the exploit are in this reference:
> 
>> http://exploit-db.com/download_pdf/15077
> 
> The ET team are just building the sig from that.
> 
> - -Coop
> 
> On 2/3/2015 10:15 PM, liao zhuodi wrote:
>> I am looking at some suricate rules, like "emerging-web_client.rules”, and try to figure out some of them how they are built, like this:
>> 
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt”; 
>> flowbits:isset,ET.flash.pdf; 
>> flow:established,to_client; 
>> content:"|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00|”; 
>> reference:url,exploit-db.com/download_pdf/15077; 
>> classtype:attempted-user; 
>> sid:2011543; 
>> rev:5;)
>> 
>> The content pattern is just a sequence of HEX, how to pin point this HEX signature from tons of packages. Wireshark is a good tool, but it is still hard to find the particular signature like this. 
>> 
>> Liao
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> Training now available: http://suricata-ids.org/training/
>> 
> 
> 
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> 
> iQEcBAEBAgAGBQJU0kF/AAoJEKIFRYQsa8FWU3UH/3UuNJMVjKY32LFQBQrg8Y6T
> sJ6eQuMXG+czz6BPsnZruAYqBW3A33h+301J3V0AZCL7bEFn83d5GyOOuQIifJZJ
> rK0qjU3t9ScVT9yZiL/XFwsnXC1MyXQEK0xz40QYzh3rbv7Ju4tQOZv/OD/YiD/K
> JgcBnShIo9WnhwNAywbSzSPr/yWSGYD7QUQC1igJNcsj5jnyqKWmlQH0rLHJlgIF
> 2D8caamJHQvgGWrjwUz9HYFf4YFwEImEC8GYd740eY30lTknRlDfnPRRBFjUniWE
> IsGIylB6DG8yHY4JwrntoqkKIOF4inWjXFtFnNtWXwdf/6VMinY0/Nymm5J8DAQ=
> =BEG1
> -----END PGP SIGNATURE-----
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150206/cd0a37b0/attachment-0002.html>