[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Greg Martin gregm at econet.com
Thu Jan 29 18:13:17 EST 2009

Agreed to stay away from any newish rule features to avoid breaking compatibility.

I would stick with the standard content rule vs. http preproc due to the fact you have dsize and within.  The keeps you with state through stream without worrying about the aforementioned fragmentation issue.


-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net on behalf of Darren Spruell
Sent: Thu 1/29/2009 4:57 PM
To: Holste, Martin C - DOA
Cc: Emerging Threats Signatures
Subject: Re: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new
On Thu, Jan 29, 2009 at 1:52 PM, Holste, Martin C - DOA
<martin.holste at wisconsin.gov> wrote:
> Also, don't forget that Sourcefire added the http_method modifier so we
> could do:
> content:"GET"; http_method; uricontent:"/forms.cgi";

I think the concern might be requiring a recent enough snort to do the
http_* options (don't recall when that was added, 2.8.3? Pretty

Darren Spruell
phatbuckett at gmail.com
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090129/78a9622e/attachment.html

More information about the Emerging-sigs mailing list