[Emerging-Sigs] Advice on modifying a rule

Francis Trudeau ftrudeau at emergingthreats.net
Fri Sep 26 12:43:23 EDT 2014


Try this:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely
Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK
"; depth:5; pcre:"/[^\r\n]{0,7}[A-Z]{2,3}/R";
reference:url,doc.emergingthreats.net/2008124;
classtype:trojan-activity; sid:2008124; rev:5;)

That works here.  I am not sure if it will FP, but it does work.

Let me know how it goes.

Francis


On Thu, Sep 25, 2014 at 10:18 PM, Russell Fulton
<r.fulton at auckland.ac.nz> wrote:
> This Rule is a little US centric ;)
>
> I had a pulled pork modify that replace ‘content:”USA”’ with a pcre /[A-Z]{2,3}/ but this does not work with suri but did with my older version of snort.  I assume the problem is that the rule optimiser cant figure out how long the pcre match is.
>
> My aim here is to pick up other country coded like NZ ;)  but I still want to catch USA and UK etc too since travellers bring these things home with them.  (*)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content:"USA"; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)
>
> Suggestions about how I can modify this rule to do what I want.
>
> [ yes this is the one I posted about a while back — I swear I checked the modify.conf for the sid, sigh… ]
>
>
> Russell
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list