[Emerging-Sigs] Advice on modifying a rule

Russell Fulton r.fulton at auckland.ac.nz
Fri Sep 26 00:18:49 EDT 2014


This Rule is a little US centric ;)

I had a pulled pork modify that replace ‘content:”USA”’ with a pcre /[A-Z]{2,3}/ but this does not work with suri but did with my older version of snort.  I assume the problem is that the rule optimiser cant figure out how long the pcre match is.

My aim here is to pick up other country coded like NZ ;)  but I still want to catch USA and UK etc too since travellers bring these things home with them.  (*)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content:"USA"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)

Suggestions about how I can modify this rule to do what I want.  

[ yes this is the one I posted about a while back — I swear I checked the modify.conf for the sid, sigh… ] 


Russell


More information about the Emerging-sigs mailing list