[Emerging-Sigs] Question about flowbits

Paul Halliday paul.halliday at gmail.com
Tue Sep 2 17:58:05 EDT 2014


Looking at this rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible
Windows executable sent when remote host claims to send a Text File";
flow:established,from_server; content:"Content-Type|3a| text/plain";
http_header; file_data; content:"MZ"; within:2;
byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern;
distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download;
reference:url,doc.emergingthreats.net/bin/view/Main/2008438;
classtype:trojan-activity; sid:2008438; rev:13;)

How does this work "flowbits:isnotset,ET.Adobe.Site.Download;"

What exactly is it doing?

Thanks!

-- 
Paul Halliday
http://www.pintumbler.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140902/062a5f67/attachment.html>


More information about the Emerging-sigs mailing list