[Oisf-users] tcp.reassembly_gap
Luke Whitworth
l.a.whitworth at gmail.com
Wed Jan 27 08:40:21 UTC 2016
Well that's a bit embarrassing! Yep my rules were being pulled from the
wrong URL. I've got the correct rules being pulled now so will see how it
goes from here out!
Cheers Victor
On 26 January 2016 at 21:14, Victor Julien <lists at inliniac.net> wrote:
> On 26-01-16 16:04, Luke Whitworth wrote:
>
>> Suricata verions:
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible
>> Andromeda download with fake Zip header (2)";
>> flow:to_client,established; content:"|0d 0a 0d 0a|PK|03 04|";
>> byte_test:1,>,20,1,relative; flowbits:set,et.exploitkitlanding;
>> classtype:trojan-activity; sid:2018576; rev:3;)
>>
>
> This doesn't look like the correct version, mine looks like this:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible
> Andromeda download with fake Zip header (2)"; flow:to_client,established;
> file_data; content:"PK|03 04|"; within:4; byte_test:1,>,20,1,relative;
> flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018576;
> rev:2;)
>
> It uses file_data, which is better for accuracy. Interestingly it has
> rev:2.
>
> I think you may be pulling your suricata rules from the wrong version:
>
> e.g.
> https://rules.emergingthreatspro.com/open/suricata/emerging-all.rules
> instead of:
> https://rules.emergingthreatspro.com/open/suricata-2.0/emerging-all.rules
>
> If you use pulledpork or oinkmaster, could you try updating the URL to
> include the suricata version like above?
>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160127/df7ae8eb/attachment-0002.html>
More information about the Oisf-users
mailing list