[Emerging-Sigs] Bad Rule

Gibson, Nathan J. (HSC) Nathan-Gibson at ouhsc.edu
Tue Oct 25 16:32:27 EDT 2011

Can you take a look and correct as needed.

10/25/2011 3:29 PM :   snort[32474]: FATAL ERROR: /etc/snort/rules/snort.rules(3409) Fast pattern only contents cannot be relative or have non-zero offset/depth content modifiers.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; fast_pattern:only; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:12;)

Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
IT Architect
Infrastructure Services
The University of Oklahoma HSC
voice: 405.271.2644 x50340
fax:    405.271.2181
Feedback?  Email comments to Chris Hodges<mailto:chris-hodges at ouhsc.edu?subject=Heads%20up%20about%20Gibby>
CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111025/e8485964/attachment.html

More information about the Emerging-sigs mailing list