[Emerging-Sigs] Bad Rule
Gibson, Nathan J. (HSC)
Nathan-Gibson at ouhsc.edu
Tue Oct 25 16:32:27 EDT 2011
Can you take a look and correct as needed.
10/25/2011 3:29 PM : snort: FATAL ERROR: /etc/snort/rules/snort.rules(3409) Fast pattern only contents cannot be relative or have non-zero offset/depth content modifiers.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; fast_pattern:only; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:12;)
Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
The University of Oklahoma HSC
voice: 405.271.2644 x50340
Feedback? Email comments to Chris Hodges<mailto:chris-hodges at ouhsc.edu?subject=Heads%20up%20about%20Gibby>
CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs