[Emerging-Sigs] request update sig 2015841 rev 2

Will Metcalf wmetcalf at emergingthreatspro.com
Mon Dec 3 11:55:33 HAST 2012


Do you realize that because this is fast_pattern:only the logic you
proposed isn't the same thing? fast_pattern:only (in snort) makes the match
case insensitive even if nocase is not set i.e. will fire on "/ApPlEt.JaR"
But you are right urilen is more efficient than pcre so will go with what
is below.. This. Thanks for the report.

Regards,

Will

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Unknown Exploit Kit Landing Page";
flow:established,to_server; urilen:11; content:"/Applet.jar"; http_uri;
classtype:successful-user; sid:2015841; rev:2;)

On Sat, Dec 1, 2012 at 6:04 PM, rmkml <rmkml at yahoo.fr> wrote:

> Hi,
>
> I request a update on this sig:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Unknown Exploit Kit Landing Page";
> flow:established,to_server; content:"/Applet.jar"; http_uri;
> fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user;
> sid:2015841; rev:2;)
>
> -remove pcre
> -replace by urilen:11
>
> Regards
> Rmkml
>
> http://twitter.com/rmkml
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.**emergingthreats.net<Emerging-sigs at lists.emergingthreats.net>
> http://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121203/f41e9664/attachment.html>


More information about the Emerging-sigs mailing list