[Emerging-Sigs] Jorik FakeAV sig

Martin Holste mcholste at gmail.com
Sun Oct 30 10:23:17 EST 2011


Yep, looks like this one needs to be updated to content:"GET";
http_method; content:"/britix/a"; http_uri;  By the way, "britix"
never appears in any part of a URI legitimately in our experience, so
this should not need any anchoring.

On Sat, Oct 29, 2011 at 10:19 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/29/2011 15:40, Jason wrote:
>>>
>>> alert tcp $EXTERNAL_NET  any ->  $HOME_NET $HTTP_PORTS (msg:"UFOISC
>>> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
>>> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
>>>
>>
>>
>> Forgive me as i do not work often with snort. Would this signature also catch
>> "/britix/ar"? You should be on guard for this in addition to the /a. Thank you.
>
> strictly looking at the rule posted, it would appear that your URI is not
> caught... why? because the space is invisible in the rule and it appears to read
> as "/a http/1.1" (no case on purpose)... which means that "/a" followed by a
> space plus the http revision is all that's looked for...
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list