Russell Fulton r.fulton at auckland.ac.nz
Tue Sep 30 17:49:29 EDT 2014


I want to modify this rule for local usage (basically swapping RE for “USA" ;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content: “USA”; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)

I want to replace content: “USA”;
with something like pcre /[A-Z]{2,3}/

If I do so I get an error on the within clause which I take to mean that I can’t use it with a pcre.  Anyone have any suggestions on how to generalise this rule.

BTW I don’t want to just replace USA with NZ since then I won’t pick up laptops that have been infect in the US and then brought home.


