[Emerging-Sigs] Anyones doomsday machine running low on IDS analyst tears?

waldo kitty wkitty42 at windstream.net
Wed Oct 6 17:21:15 EDT 2010


On 10/6/2010 16:57, Will Metcalf wrote:
>> No dice.. So I guess the take away here is that if you are moving to a
>> VRT snort.conf or a 2.9.0 ruleset and you are running custom rules I
>> would pay real close attention to debug-print-fast-pattern output.  We
>> are going through the poor performers now and making modifications
>> where appropriate for ET rules, just thought folks might want to know
>> ;-)...
>
> Forgot to add the bit about the solution.  If you do end up using this
> pm with the default options, for rules such as this use the
> fast_pattern:<offset>,<length>; options... i.e.

ahhh... so it can be overridden on a rulexrule basis... that's still more burden 
as it is now something else to have to remember when writing rules... especially 
when one is writing them for submission to distribution groups like ET...

> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Delf Checkin via HTTP (8)"; flow:established,to_server;
> content:"POST"; http_method; content:".php"; http_uri; nocase;
> content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)";
> http_header; fast_pattern:30,20; content:"name="; http_client_body;
> classtype:trojan-activity;
> reference:url,doc.emergingthreats.net/2008268;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf;
> sid:2008268; rev:5;)


More information about the Emerging-sigs mailing list