[Emerging-Sigs] Jorik FakeAV sig

Packet Hack pckthck at gmail.com
Mon Oct 31 12:09:52 EST 2011


So can someone give the quick and dirty when it's better to use
fast_pattern:only vs. http_uri/http_method?

-- pckthck

On Sun, Oct 30, 2011 at 11:23 AM, Martin Holste <mcholste at gmail.com> wrote:
> Yep, looks like this one needs to be updated to content:"GET";
> http_method; content:"/britix/a"; http_uri;  By the way, "britix"
> never appears in any part of a URI legitimately in our experience, so
> this should not need any anchoring.
>
> On Sat, Oct 29, 2011 at 10:19 PM, waldo kitty <wkitty42 at windstream.net> wrote:
>> On 10/29/2011 15:40, Jason wrote:
>>>>
>>>> alert tcp $EXTERNAL_NET  any ->  $HOME_NET $HTTP_PORTS (msg:"UFOISC
>>>> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
>>>> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
>>>>
>>>
>>>
>>> Forgive me as i do not work often with snort. Would this signature also catch
>>> "/britix/ar"? You should be on guard for this in addition to the /a. Thank you.
>>
>> strictly looking at the rule posted, it would appear that your URI is not
>> caught... why? because the space is invisible in the rule and it appears to read
>> as "/a http/1.1" (no case on purpose)... which means that "/a" followed by a
>> space plus the http revision is all that's looked for...
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list