[Emerging-Sigs] Possible FP 2013437
kevross33 at googlemail.com
Tue Oct 4 03:46:21 EDT 2011
Perhaps on the one not within:2 expand it to this program cannot and win32
options for a DOS EXE?
On 3 October 2011 23:56, Lay, James <james.lay at wincofoods.com> wrote:
> > Hi James,
> > For reduce FP, can you test by adding within like this:
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> > POLICYExecutable served from Amazon S3"; flow:established,to_client;
> > content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
> > within:2; distance:0; isdataat:80,relative; content:"PE";
> > but need last snort v291. (and default config paf_max: 16384) Regards
> > Thanks Rmkml...I'll give that a try.
> > James
> Hrmm..that looks like 2013414?
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
> Executable served from Amazon S3"; flow:established,to_client;
> content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
> within:2; isdataat:80,relative; content:"PE"; distance:0;
> ng_Malware_now_on_Amazon_Web_Services_Cloud; sid:2013414; rev:3;)
> That hasn't fired :)
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs