[Emerging-Sigs] Jorik FakeAV sig
wkitty42 at windstream.net
Sat Oct 29 23:19:40 EDT 2011
On 10/29/2011 15:40, Jason wrote:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"UFOISC
>> Jorik FakeAV GET"; flow:established,to_server; content:"GET /britix/a
>> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
> Forgive me as i do not work often with snort. Would this signature also catch
> "/britix/ar"? You should be on guard for this in addition to the /a. Thank you.
strictly looking at the rule posted, it would appear that your URI is not
caught... why? because the space is invisible in the rule and it appears to read
as "/a http/1.1" (no case on purpose)... which means that "/a" followed by a
space plus the http revision is all that's looked for...
More information about the Emerging-sigs