[Emerging-Sigs] Question about flowbits

Will Metcalf wmetcalf at emergingthreatspro.com
Tue Sep 2 18:02:13 EDT 2014


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Adobe PKG
Download Flowbit Set"; flow:established,to_server; content:"pkg"; http_uri;
content:"Host|3a 20|platformdl.adobe.com|0d 0a|"; http_header; nocase;
flowbits:set,ET.Adobe.Site.Download; flowbits:noalert;
classtype:misc-activity; sid:2017294; rev:3;)

We set a flowbit on certain downloads from Adobe. It is FP avoidance
because their servers set Content-Type|3a| text/plain on EXE's :(.

Regards,

Will


On Tue, Sep 2, 2014 at 4:58 PM, Paul Halliday <paul.halliday at gmail.com>
wrote:

> Looking at this rule:
>
> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible
> Windows executable sent when remote host claims to send a Text File";
> flow:established,from_server; content:"Content-Type|3a| text/plain";
> http_header; file_data; content:"MZ"; within:2;
> byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern;
> distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download;
> reference:url,doc.emergingthreats.net/bin/view/Main/2008438;
> classtype:trojan-activity; sid:2008438; rev:13;)
>
> How does this work "flowbits:isnotset,ET.Adobe.Site.Download;"
>
> What exactly is it doing?
>
> Thanks!
>
> --
> Paul Halliday
> http://www.pintumbler.org/
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140902/fcc197b7/attachment.html>


More information about the Emerging-sigs mailing list