[Emerging-Sigs] Misfires on 2001685
Matt Jonkman
jonkman at jonkmans.com
Fri May 23 09:23:15 EDT 2008
Great idea Jack, that ought to make this sig more reliable.
Wouldn't it be a 0a right before though? Like in an http stream you'd
have |0d 0a| to end the previous line...
Matt
Jack Pepper wrote:
> The "MZ" string keeps showing up in real BMP files (statistically,
> this rule should misfire one time out of every 256 BMP files). So I
> altered it to require that the exe magic string must come at the
> beginning of the attached file:
>
> --- Before ---
> alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows
> executable sent when remote host claims to send an image"; flow:
> established; content:"Content-Type\: image"; content:"MZ"; within: 12;
> classtype: trojan-activity; sid: 2001685; rev:4;)
>
> --- After ---
> alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows
> executable sent when remote host claims to send an image"; flow:
> established; content:"Content-Type\: image"; content:"|0d|MZ"; within:
> 12; classtype: trojan-activity; sid: 2001685; rev:5;)
>
>
> jp
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list