[Emerging-Sigs] Eleonore Drive By's and the Redirection To Them

Joel Esler jesler at sourcefire.com
Tue Oct 5 15:11:23 EDT 2010

I haven't used the http_cookie keyword, but since it's a normalized buffer,
I assume it would be similar to http_uri, where you can't do relative
statements to a normalized buffer.


On Tue, Oct 5, 2010 at 3:06 PM, evilghost at packetmail.net <
evilghost at packetmail.net> wrote:

> Hash: SHA1
> On 10/05/2010 02:03 PM, Eoin Miller wrote:
> > We have had some weird issues with doing multiple content matches in the
> > same buffer (by that I mean it does not alert as you would expect it
> > to). I haven't tested this with 2.9.0 yet, but the 2.8.6.x's would not
> > alert if you added http_cookie to the second content match (if my memory
> > serves). We could use  distance:N; but since we are content matching on
> > just cookie values containing the first content in only the cookie
> > field, I would guess the performance increase would be negligible.
> I would love to hear more about this and will try to confirm on my end.
>  I wonder if the below would mitigate the issue?  Basically constrain
> both to the same normalized buffer and make it be relative to the
> previous while keep the pointer in the same buffer.
> content:"SL_"; http_cookie; content:"_0000="; http_cookie; distance:0;
> Version: GnuPG v1.4.10 (GNU/Linux)
> XwWIIfHqViGf4qRLTBD1TmUZLUj6UOdejEnbifglHgMp8lHrmVbfip94QV8uIuLL
> uww1mlYgGzN9/JKQNT4DjQH3EECJSBPGxVvX3jSqNwRejfGt6Ky/4qbWfchESIjc
> PKgB55RcTuXKpYskQ3wl0DncVc3udkCL32zqRky2uCIRWaniaNuSDniq5VU5/kZW
> hAZ8q44h7OpzT8fLZvZW2vw73uDKhNVcJuaheWdtwEGsqJSIDAJ3seoGqT7FLD2Q
> RAQ4YOH08QTxHdjNvL/AJI62Vq4kIqZgx58FNyqIHGGsLuqK20JtJLzfm2g+Rs99
> DN7V84POzY1Q57ZBcKT/rSvMGqqmVJ2p6hPnpmTBIAPW9XWbNVvbNokTs+C/wUA9
> XTxEPcDHVj2nfY8H/26JkDL0lWbRet0E+AWVZuaaZuc5kT2H5siZJL2IamMK+v+7
> 4W91ScQT1ca1aJi9asjSrxFHAJDEaQuLa2eJXQvnNMTvcqgeh+3rgBEdnxYZ4F6O
> epUNk/jG47ImTtXmiA+oPDsmGbWga9fX61+oFdWyoWhYvDYh30zPYDv6MHFrBx+r
> DntW9tabnVZsXMrOzdINzH59O4fCy5h1DBiS4vihp13febm5xW4TSGwhRSKxpSI/
> chkHLygp8vGCsTmlOt/+
> =bzby
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101005/20eee148/attachment.html

More information about the Emerging-sigs mailing list