[Emerging-Sigs] Jorik FakeAV sig
pckthck at gmail.com
Mon Oct 31 12:09:52 EST 2011
So can someone give the quick and dirty when it's better to use
fast_pattern:only vs. http_uri/http_method?
On Sun, Oct 30, 2011 at 11:23 AM, Martin Holste <mcholste at gmail.com> wrote:
> Yep, looks like this one needs to be updated to content:"GET";
> http_method; content:"/britix/a"; http_uri; By the way, "britix"
> never appears in any part of a URI legitimately in our experience, so
> this should not need any anchoring.
> On Sat, Oct 29, 2011 at 10:19 PM, waldo kitty <wkitty42 at windstream.net> wrote:
>> On 10/29/2011 15:40, Jason wrote:
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"UFOISC
>>>> Jorik FakeAV GET"; flow:established,to_server; content:"GET /britix/a
>>>> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
>>> Forgive me as i do not work often with snort. Would this signature also catch
>>> "/britix/ar"? You should be on guard for this in addition to the /a. Thank you.
>> strictly looking at the rule posted, it would appear that your URI is not
>> caught... why? because the space is invisible in the rule and it appears to read
>> as "/a http/1.1" (no case on purpose)... which means that "/a" followed by a
>> space plus the http revision is all that's looked for...
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Emerging-sigs