[Emerging-Sigs] Possible FP 2013437

Kevin Ross kevross33 at googlemail.com
Tue Oct 4 03:46:21 EDT 2011


Perhaps on the one not within:2 expand it to this program cannot and win32
options for a DOS EXE?

On 3 October 2011 23:56, Lay, James <james.lay at wincofoods.com> wrote:

> >
> > Hi James,
> > For reduce FP, can you test by adding within like this:
> >   alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> > POLICYExecutable served from Amazon S3"; flow:established,to_client;
> > content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
> > within:2; distance:0; isdataat:80,relative; content:"PE";
> distance:0;...
> > but need last snort v291. (and default config paf_max: 16384) Regards
> Rmkml
> >
> >
> >
> > Thanks Rmkml...I'll give that a try.
> >
> > James
>
> Hrmm..that looks like 2013414?
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY
> Executable served from Amazon S3"; flow:established,to_client;
> content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
> within:2; isdataat:80,relative; content:"PE"; distance:0;
> classtype:bad-unknown;
> reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-servic
> es-aws-to-host-malware/<http://blog.trendmicro.com/cybercriminals-using-amazon-web-servic%0Aes-aws-to-host-malware/>
> ;
> reference:url,www.securelist.com/en/blog/208188099/Financial_data_steali
> ng_Malware_now_on_Amazon_Web_Services_Cloud; sid:2013414; rev:3;)
>
> That hasn't fired :)
>
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/2e6321b1/attachment.html


More information about the Emerging-sigs mailing list