[Emerging-Sigs] SIG for JAR-Download :: Have you checked the Java?

mex mail at mare-system.de
Sun Oct 24 12:27:01 EDT 2010


does this always work with gzip'd and chunk'd content?
i remember this flaw some weeks ago with older versions of
snort. 

if it works i think yours is the better sig; 
or maybe run them both to see 1. the request and 2. the response?





Martin Holste wrote:
> I've been running a JAR sig for a long time, and it's been very
> helpful for post-mortems or data mining.  My sig is a little
> different:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL JAR
> file download"; flow:from_server,established; content:"PK"; depth:500;
> content:"META-INF/"; within:100; content:"MANIFEST"; within:100;
> classtype:not-suspicious; sid:xxx; rev:1;)
> 
> On Sun, Oct 24, 2010 at 4:55 AM, Mex <mail at mare-system.de> wrote:
>> maybe, deactivated by default for office-networks?
>>
>> http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JAVA JAR
>> Download Attempt"; flow:established,to_server; uricontent:".jar";
>> classtype:bad-unknown;
>> reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; sid:xxxxxxxx;
>> rev:1;)
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>

-- 


mex


Security InfoCenter   .:.   http://www.mare-system.de/sic
DONT PANIC            .:.   http://www.mare-system.de/emergency 
MARE System Kiel      .:.   http://www.mare-system.de


More information about the Emerging-sigs mailing list