[Emerging-Sigs] Eleonore Drive By's and the Redirection To Them

evilghost@packetmail.net evilghost at packetmail.net
Tue Oct 5 15:06:29 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 10/05/2010 02:03 PM, Eoin Miller wrote:
> We have had some weird issues with doing multiple content matches in the 
> same buffer (by that I mean it does not alert as you would expect it 
> to). I haven't tested this with 2.9.0 yet, but the 2.8.6.x's would not 
> alert if you added http_cookie to the second content match (if my memory 
> serves). We could use  distance:N; but since we are content matching on 
> just cookie values containing the first content in only the cookie 
> field, I would guess the performance increase would be negligible.

I would love to hear more about this and will try to confirm on my end.
 I wonder if the below would mitigate the issue?  Basically constrain
both to the same normalized buffer and make it be relative to the
previous while keep the pointer in the same buffer.

content:"SL_"; http_cookie; content:"_0000="; http_cookie; distance:0;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMq3c1AAoJENgimYXu6xOHqUUP/07YdPMBVWMYS0J94o1tyawx
XwWIIfHqViGf4qRLTBD1TmUZLUj6UOdejEnbifglHgMp8lHrmVbfip94QV8uIuLL
uww1mlYgGzN9/JKQNT4DjQH3EECJSBPGxVvX3jSqNwRejfGt6Ky/4qbWfchESIjc
PKgB55RcTuXKpYskQ3wl0DncVc3udkCL32zqRky2uCIRWaniaNuSDniq5VU5/kZW
hAZ8q44h7OpzT8fLZvZW2vw73uDKhNVcJuaheWdtwEGsqJSIDAJ3seoGqT7FLD2Q
RAQ4YOH08QTxHdjNvL/AJI62Vq4kIqZgx58FNyqIHGGsLuqK20JtJLzfm2g+Rs99
DN7V84POzY1Q57ZBcKT/rSvMGqqmVJ2p6hPnpmTBIAPW9XWbNVvbNokTs+C/wUA9
XTxEPcDHVj2nfY8H/26JkDL0lWbRet0E+AWVZuaaZuc5kT2H5siZJL2IamMK+v+7
4W91ScQT1ca1aJi9asjSrxFHAJDEaQuLa2eJXQvnNMTvcqgeh+3rgBEdnxYZ4F6O
epUNk/jG47ImTtXmiA+oPDsmGbWga9fX61+oFdWyoWhYvDYh30zPYDv6MHFrBx+r
DntW9tabnVZsXMrOzdINzH59O4fCy5h1DBiS4vihp13febm5xW4TSGwhRSKxpSI/
chkHLygp8vGCsTmlOt/+
=bzby
-----END PGP SIGNATURE-----


More information about the Emerging-sigs mailing list