[Emerging-Sigs] Question about flowbits

Paul Halliday paul.halliday at gmail.com
Wed Sep 3 07:33:07 EDT 2014


Just one more question.

I recently upgraded. I am just looking over the included suricata.yaml and
while it has "emerging-malware.rules" listed and enabled in rule-files
"emerging-info.rules" isn't even mentioned in that list. I wasn't aware I
should have that included as well to avoid the FPs.

Is it typically the role of a rule manager to figure out this dependency
and set things up for me or is it just a step I missed; or am I looking at
this the wrong way?

Thanks.


On Tue, Sep 2, 2014 at 7:02 PM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:

> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Adobe PKG
> Download Flowbit Set"; flow:established,to_server; content:"pkg"; http_uri;
> content:"Host|3a 20|platformdl.adobe.com|0d 0a|"; http_header; nocase;
> flowbits:set,ET.Adobe.Site.Download; flowbits:noalert;
> classtype:misc-activity; sid:2017294; rev:3;)
>
> We set a flowbit on certain downloads from Adobe. It is FP avoidance
> because their servers set Content-Type|3a| text/plain on EXE's :(.
>
> Regards,
>
> Will
>
>
> On Tue, Sep 2, 2014 at 4:58 PM, Paul Halliday <paul.halliday at gmail.com>
> wrote:
>
>> Looking at this rule:
>>
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible
>> Windows executable sent when remote host claims to send a Text File";
>> flow:established,from_server; content:"Content-Type|3a| text/plain";
>> http_header; file_data; content:"MZ"; within:2;
>> byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern;
>> distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download;
>> reference:url,doc.emergingthreats.net/bin/view/Main/2008438;
>> classtype:trojan-activity; sid:2008438; rev:13;)
>>
>> How does this work "flowbits:isnotset,ET.Adobe.Site.Download;"
>>
>> What exactly is it doing?
>>
>> Thanks!
>>
>> --
>> Paul Halliday
>> http://www.pintumbler.org/
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>


-- 
Paul Halliday
http://www.pintumbler.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140903/31cd2ff9/attachment-0001.html>


More information about the Emerging-sigs mailing list