[Emerging-Sigs] SIG for JAR-Download :: Have you checked the Java?
mail at mare-system.de
Sun Oct 24 12:27:01 EDT 2010
does this always work with gzip'd and chunk'd content?
i remember this flaw some weeks ago with older versions of
if it works i think yours is the better sig;
or maybe run them both to see 1. the request and 2. the response?
Martin Holste wrote:
> I've been running a JAR sig for a long time, and it's been very
> helpful for post-mortems or data mining. My sig is a little
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL JAR
> file download"; flow:from_server,established; content:"PK"; depth:500;
> content:"META-INF/"; within:100; content:"MANIFEST"; within:100;
> classtype:not-suspicious; sid:xxx; rev:1;)
> On Sun, Oct 24, 2010 at 4:55 AM, Mex <mail at mare-system.de> wrote:
>> maybe, deactivated by default for office-networks?
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JAVA JAR
>> Download Attempt"; flow:established,to_server; uricontent:".jar";
>> reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; sid:xxxxxxxx;
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
Security InfoCenter .:. http://www.mare-system.de/sic
DONT PANIC .:. http://www.mare-system.de/emergency
MARE System Kiel .:. http://www.mare-system.de
More information about the Emerging-sigs