[Emerging-Sigs] Rule 2000418

Joel Esler (jesler) jesler at cisco.com
Tue Sep 30 17:41:59 EDT 2014


fast_pattern:only is case insensitive, fast_pattern just shoves that content match into the pattern matcher.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Sep 30, 2014, at 11:34 PM, rmkml <rmkml at yahoo.fr<mailto:rmkml at yahoo.fr>> wrote:

Thx James and Will,

and don't forget fast_pattern is case insensitive...

Regards
@Rmkml


On Tue, 30 Sep 2014, Will Metcalf wrote:

We will take a look. Thanks James.
Regards,
Will
On Tue, Sep 30, 2014 at 2:13 PM, James Lay <jlay at slave-tothe-box.net<mailto:jlay at slave-tothe-box.net>> wrote:
     Any reason distance wasn't specified with this rule?

     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable and linking format (ELF) file download"; flow:established; content:"|7F|ELF"; fast_pattern:only; content:"|00 00 00 00 00 00 00 00|";
     flowbits:set,ET.ELFDownload; reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm<http://www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm>; reference:url,doc.emergingthreats.net/bin/view/Main/2000418<http://doc.emergingthreats.net/bin/view/Main/2000418>; classtype:policy-violation;
     sid:2000418; rev:13;)

     This matches at almost the end of a 1500 size packet:

     [ 1024] 2D 23 D8 B5 36 B2 B0 D6 19 C4 35 4E 65 4D 23 C5  -#..6.....5NeM#.
     [ 1040] 39 57 AC 15 73 C9 37 DD 47 86 B2 6E AB B8 DE 13  9W..s.7.G..n....
     [ 1056] 4B 74 B7 E6 92 D7 F9 9F DC FC AB 3F 5F 1D F4 CD  Kt.........?_...
     [ 1072] E9 46 E7 EA FF 01 83 57 69 B3 03 5F 06 47 CA C8  .F.....Wi.._.G..
     [ 1088] 66 07 A8 9C E6 61 96 AD EE 53 35 15 79 5A E6 54  f....a...S5.yZ.T
     [ 1104] 3D A8 50 32 CE 8C 06 9B 73 F2 43 D2 BA DC F5 9B  =.P2....s.C.....
     [ 1120] 23 E4 B5 36 B9 E3 3C 86 A3 69 B4 A9 AC E4 61 38  #..6..<..i....a8
     [ 1136] 00 00 01 08 08 00 01 19 10 F7 38 00 00 00 00 AF  ..........8.....
     [ 1152] 01 21 4A FE FF F3 50 A4 B9 93 65 CA A3 2E 2A 8E  .!J...P...e...*.
     [ 1168] B8 AD 0A DC 5D 93 53 31 FB 9C EE FB AC F1 32 AD  ....].S1......2.
     [ 1184] 79 1A 02 44 12 2B C6 E4 2F 05 6B A6 CD 4F C4 C5  y..D.+../.k..O..
     [ 1200] 28 49 9B 53 A6 F9 5F B8 10 03 5B 43 95 DD FF 4F  (I.S.._...[C...O
     [ 1216] F9 40 0C F4 FB 5F 3E EE 9F 7F 00 00 00 00 00 00  . at ..._>.........
     [ 1232] 00 00 00 00 10 A3 47 59 4E B9 97 08 09 AB CB 60  ......GYN......`
     [ 1248] 24 44 00 15 06 97 05 5A 5E F6 A4 40 00 0B 09 35  $D.....Z^.. at ...5
     [ 1264] BF BB 18 00 00 48 00 00 C3 8A EB 11 1F C3 3A 84  .....H........:.
     [ 1280] 4B 14 06 C1 C8 3B A4 94 37 32 58 A9 12 69 77 AD  K....;..72X..iw.
     [ 1296] CD 5B A1 D9 EA 7A D2 36 55 34 B0 72 FB 3E C7 5D  .[...z.6U4.r.>.]
     [ 1312] FE 5A FE F5 43 5B DB 44 A2 C7 7E 9D 75 F7 A5 23  .Z..C[.D..~.u..#
     [ 1328] 8D A3 A6 0B D3 0E 33 9C 14 AF B2 5A BB C1 DF AE  ......3....Z....
     [ 1344] B2 53 C9 CD 28 5D 7F 65 4C 46 78 65 78 15 A1 73  .S..(].eLFxex..s
     [ 1360] E9 BF 72 02 80 04 10 A5 C0 89 80 02 C4 29 56 1A  ..r..........)V.

     Per https://en.wikipedia.org/wiki/Executable_and_Linkable_Format I'm betting setting distance:64; could cover this.

     James
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140930/fe13f0b1/attachment.html>


More information about the Emerging-sigs mailing list