[Oisf-users] question about http_uri and file_data

erik clark philosnef at gmail.com
Thu Jan 26 16:52:49 UTC 2017

I have a pcap I am trying to get a signature to fire off of. Here is the

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"packer";
content:"menu|2e|js"; http_uri; file_data;
content:"eval(function(p,a,c,k,e,d)"; fast_pattern:only; sid:1; rev:7;)

I can't provide a pcap, but this is a standard dean edwards packer menu

The problem I have is:

the http_uri hit comes from local to remote (this is a get request).
the file_data hit comes remote to local

Is there any way to get one rule to fire off this? Maybe with flowbits?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170126/c310160e/attachment.html>

More information about the Oisf-users mailing list