[Emerging-Sigs] Possible FP 2013437

Lay, James james.lay at wincofoods.com
Mon Oct 3 18:56:54 EDT 2011


> 
> Hi James,
> For reduce FP, can you test by adding within like this:
>   alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> POLICYExecutable served from Amazon S3"; flow:established,to_client;
> content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
> within:2; distance:0; isdataat:80,relative; content:"PE";
distance:0;...
> but need last snort v291. (and default config paf_max: 16384) Regards
Rmkml
> 
> 
> 
> Thanks Rmkml...I'll give that a try.
> 
> James

Hrmm..that looks like 2013414?

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
Executable served from Amazon S3"; flow:established,to_client;
content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
within:2; isdataat:80,relative; content:"PE"; distance:0;
classtype:bad-unknown;
reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-servic
es-aws-to-host-malware/;
reference:url,www.securelist.com/en/blog/208188099/Financial_data_steali
ng_Malware_now_on_Amazon_Web_Services_Cloud; sid:2013414; rev:3;)

That hasn't fired :)

James


More information about the Emerging-sigs mailing list