[Oisf-users] question about http_uri and file_data
erik clark
philosnef at gmail.com
Thu Jan 26 16:52:49 UTC 2017
I have a pcap I am trying to get a signature to fire off of. Here is the
sig:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"packer";
content:"menu|2e|js"; http_uri; file_data;
content:"eval(function(p,a,c,k,e,d)"; fast_pattern:only; sid:1; rev:7;)
I can't provide a pcap, but this is a standard dean edwards packer menu
javascript.
The problem I have is:
the http_uri hit comes from local to remote (this is a get request).
the file_data hit comes remote to local
Is there any way to get one rule to fire off this? Maybe with flowbits?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170126/c310160e/attachment.html>
More information about the Oisf-users
mailing list