[Emerging-Sigs] Rule 2000418

rmkml rmkml at yahoo.fr
Tue Sep 30 23:34:34 EDT 2014


Thx James and Will,

and don't forget fast_pattern is case insensitive...

Regards
@Rmkml


On Tue, 30 Sep 2014, Will Metcalf wrote:

> We will take a look. Thanks James.
> 
> Regards,
> 
> Will
> 
> On Tue, Sep 30, 2014 at 2:13 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>       Any reason distance wasn't specified with this rule?
>
>       alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern:only; content:"|00 00 00 00 00 00 00 00|";
>       flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000418; classtype:policy-violation;
>       sid:2000418; rev:13;)
> 
>
>       This matches at almost the end of a 1500 size packet:
>
>       [ 1024] 2D 23 D8 B5 36 B2 B0 D6 19 C4 35 4E 65 4D 23 C5  -#..6.....5NeM#.
>       [ 1040] 39 57 AC 15 73 C9 37 DD 47 86 B2 6E AB B8 DE 13  9W..s.7.G..n....
>       [ 1056] 4B 74 B7 E6 92 D7 F9 9F DC FC AB 3F 5F 1D F4 CD  Kt.........?_...
>       [ 1072] E9 46 E7 EA FF 01 83 57 69 B3 03 5F 06 47 CA C8  .F.....Wi.._.G..
>       [ 1088] 66 07 A8 9C E6 61 96 AD EE 53 35 15 79 5A E6 54  f....a...S5.yZ.T
>       [ 1104] 3D A8 50 32 CE 8C 06 9B 73 F2 43 D2 BA DC F5 9B  =.P2....s.C.....
>       [ 1120] 23 E4 B5 36 B9 E3 3C 86 A3 69 B4 A9 AC E4 61 38  #..6..<..i....a8
>       [ 1136] 00 00 01 08 08 00 01 19 10 F7 38 00 00 00 00 AF  ..........8.....
>       [ 1152] 01 21 4A FE FF F3 50 A4 B9 93 65 CA A3 2E 2A 8E  .!J...P...e...*.
>       [ 1168] B8 AD 0A DC 5D 93 53 31 FB 9C EE FB AC F1 32 AD  ....].S1......2.
>       [ 1184] 79 1A 02 44 12 2B C6 E4 2F 05 6B A6 CD 4F C4 C5  y..D.+../.k..O..
>       [ 1200] 28 49 9B 53 A6 F9 5F B8 10 03 5B 43 95 DD FF 4F  (I.S.._...[C...O
>       [ 1216] F9 40 0C F4 FB 5F 3E EE 9F 7F 00 00 00 00 00 00  . at ..._>.........
>       [ 1232] 00 00 00 00 10 A3 47 59 4E B9 97 08 09 AB CB 60  ......GYN......`
>       [ 1248] 24 44 00 15 06 97 05 5A 5E F6 A4 40 00 0B 09 35  $D.....Z^.. at ...5
>       [ 1264] BF BB 18 00 00 48 00 00 C3 8A EB 11 1F C3 3A 84  .....H........:.
>       [ 1280] 4B 14 06 C1 C8 3B A4 94 37 32 58 A9 12 69 77 AD  K....;..72X..iw.
>       [ 1296] CD 5B A1 D9 EA 7A D2 36 55 34 B0 72 FB 3E C7 5D  .[...z.6U4.r.>.]
>       [ 1312] FE 5A FE F5 43 5B DB 44 A2 C7 7E 9D 75 F7 A5 23  .Z..C[.D..~.u..#
>       [ 1328] 8D A3 A6 0B D3 0E 33 9C 14 AF B2 5A BB C1 DF AE  ......3....Z....
>       [ 1344] B2 53 C9 CD 28 5D 7F 65 4C 46 78 65 78 15 A1 73  .S..(].eLFxex..s
>       [ 1360] E9 BF 72 02 80 04 10 A5 C0 89 80 02 C4 29 56 1A  ..r..........)V.
>
>       Per https://en.wikipedia.org/wiki/Executable_and_Linkable_Format I'm betting setting distance:64; could cover this.
>
>       James


More information about the Emerging-sigs mailing list