[Emerging-Sigs] Bad Rule

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 25 16:34:35 EDT 2011

Fixed up, sorry about that!


On Oct 25, 2011, at 4:32 PM, Gibson, Nathan J. (HSC) wrote:

> Can you take a look and correct as needed.
> 10/25/2011 3:29 PM :   snort[32474]: FATAL ERROR: /etc/snort/rules/snort.rules(3409) Fast pattern only contents cannot be relative or have non-zero offset/depth content modifiers.
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC pBot PHP Bot Commands"; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; fast_pattern:only; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; reference:url,doc.emergingthreats.net/2003208; classtype:trojan-activity; sid:2003208; rev:12;)
> _____________________________
> Nathan J. Gibson, MsIA, CISSP, CISM,CCNA, MCSA
> IT Architect
> Infrastructure Services
> The University of Oklahoma HSC
> voice: 405.271.2644 x50340
> fax:    405.271.2181
> Feedback?  Email comments to Chris Hodges
> --------------------------
> CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please destroy all copies of this communication and any attachments.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list