[Emerging-Sigs] Question about flowbits
paul.halliday at gmail.com
Wed Sep 3 07:33:07 EDT 2014
Just one more question.
I recently upgraded. I am just looking over the included suricata.yaml and
while it has "emerging-malware.rules" listed and enabled in rule-files
"emerging-info.rules" isn't even mentioned in that list. I wasn't aware I
should have that included as well to avoid the FPs.
Is it typically the role of a rule manager to figure out this dependency
and set things up for me or is it just a step I missed; or am I looking at
this the wrong way?
On Tue, Sep 2, 2014 at 7:02 PM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Adobe PKG
> Download Flowbit Set"; flow:established,to_server; content:"pkg"; http_uri;
> content:"Host|3a 20|platformdl.adobe.com|0d 0a|"; http_header; nocase;
> flowbits:set,ET.Adobe.Site.Download; flowbits:noalert;
> classtype:misc-activity; sid:2017294; rev:3;)
> We set a flowbit on certain downloads from Adobe. It is FP avoidance
> because their servers set Content-Type|3a| text/plain on EXE's :(.
> On Tue, Sep 2, 2014 at 4:58 PM, Paul Halliday <paul.halliday at gmail.com>
>> Looking at this rule:
>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible
>> Windows executable sent when remote host claims to send a Text File";
>> flow:established,from_server; content:"Content-Type|3a| text/plain";
>> http_header; file_data; content:"MZ"; within:2;
>> byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern;
>> distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download;
>> classtype:trojan-activity; sid:2008438; rev:13;)
>> How does this work "flowbits:isnotset,ET.Adobe.Site.Download;"
>> What exactly is it doing?
>> Paul Halliday
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs