[Oisf-users] How to find particular signature pattern to build rules

Cooper F. Nelson cnelson at ucsd.edu
Fri Feb 6 16:30:32 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Again, I'm not sure what you mean.

The guide you linked to is still good advice and will mostly apply to
writing suricata rules.

Other than that, I'll suggest using the existing ET rules as a template
for writing new ones.

- -Coop

On 2/5/2015 9:56 PM, liao zhuodi wrote:
> Yes, something like that, but I use a bad sample, the way they build the
> rule is put in the reference, I am trying to figure out how to get the
> identical signature from those HEX. like this: 
> 
> 
>   Writing Good Rules
> 
> 
> http://manual.snort.org/node36.html
> 
> 
> Liao
> 
>> On 4 Feb 2015, at 23:57, Cooper F. Nelson <cnelson at ucsd.edu
>> <mailto:cnelson at ucsd.edu>> wrote:
>>
> Not sure what you mean, the details of the exploit are in this reference:
> 
>>>> http://exploit-db.com/download_pdf/15077
> 
> The ET team are just building the sig from that.
> 
> -Coop
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJU1OwoAAoJEKIFRYQsa8FWE6AH/R5ZdsO+v2LM4Uv/ZSdLGIyd
OhHZKLuOd1tGq9NnKzVS9aNtF5vxqMjzt6WX7PJFEDbIim8c8AsuXkOi2KK1Zv/6
LxSckYohUK1WhkLqowAiuTFu4hrAHfAqwTW9jLHeIbP5CGMav0LKkYJFNpTL1P6X
oSP0ra5izZprNVmMQ4TMqPr2gqtK138JIA1uWFg6g+DEiAHTb/PyxD1e4lFBPtfH
e/60PgVneV5wPQoyBLtrUnw/IQ/RTg+ugPodTwrxy0CrzNX5Wp0kgI+PYCWyN91R
2kgHai4KBYXNX0t95JLn3shBv+UMreILh5P43LB/8Y4J0OCagzPDwJrWqmiq4Q8=
=MKg2
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list