[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Greg Martin gregm at econet.com
Thu Jan 29 18:13:17 EST 2009


Agreed to stay away from any newish rule features to avoid breaking compatibility.

I would stick with the standard content rule vs. http preproc due to the fact you have dsize and within.  The keeps you with state through stream without worrying about the aforementioned fragmentation issue.

-G


-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net on behalf of Darren Spruell
Sent: Thu 1/29/2009 4:57 PM
To: Holste, Martin C - DOA
Cc: Emerging Threats Signatures
Subject: Re: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new
 
On Thu, Jan 29, 2009 at 1:52 PM, Holste, Martin C - DOA
<martin.holste at wisconsin.gov> wrote:
> Also, don't forget that Sourcefire added the http_method modifier so we
> could do:
>
> content:"GET"; http_method; uricontent:"/forms.cgi";

I think the concern might be requiring a recent enough snort to do the
http_* options (don't recall when that was added, 2.8.3? Pretty
recent.)

-- 
Darren Spruell
phatbuckett at gmail.com
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090129/78a9622e/attachment.html


More information about the Emerging-sigs mailing list