[Oisf-users] tcp.reassembly_gap
Victor Julien
lists at inliniac.net
Tue Jan 26 21:14:50 UTC 2016
On 26-01-16 16:04, Luke Whitworth wrote:
> Suricata verions:
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible
> Andromeda download with fake Zip header (2)";
> flow:to_client,established; content:"|0d 0a 0d 0a|PK|03 04|";
> byte_test:1,>,20,1,relative; flowbits:set,et.exploitkitlanding;
> classtype:trojan-activity; sid:2018576; rev:3;)
This doesn't look like the correct version, mine looks like this:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible
Andromeda download with fake Zip header (2)";
flow:to_client,established; file_data; content:"PK|03 04|"; within:4;
byte_test:1,>,20,1,relative; flowbits:set,et.exploitkitlanding;
classtype:trojan-activity; sid:2018576; rev:2;)
It uses file_data, which is better for accuracy. Interestingly it has rev:2.
I think you may be pulling your suricata rules from the wrong version:
e.g.
https://rules.emergingthreatspro.com/open/suricata/emerging-all.rules
instead of:
https://rules.emergingthreatspro.com/open/suricata-2.0/emerging-all.rules
If you use pulledpork or oinkmaster, could you try updating the URL to
include the suricata version like above?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list