[Emerging-Sigs] Jorik FakeAV sig

waldo kitty wkitty42 at windstream.net
Sat Oct 29 23:19:40 EDT 2011


On 10/29/2011 15:40, Jason wrote:
>>
>> alert tcp $EXTERNAL_NET  any ->  $HOME_NET $HTTP_PORTS (msg:"UFOISC
>> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
>> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
>>
>
>
> Forgive me as i do not work often with snort. Would this signature also catch
> "/britix/ar"? You should be on guard for this in addition to the /a. Thank you.

strictly looking at the rule posted, it would appear that your URI is not 
caught... why? because the space is invisible in the rule and it appears to read 
as "/a http/1.1" (no case on purpose)... which means that "/a" followed by a 
space plus the http revision is all that's looked for...



More information about the Emerging-sigs mailing list