[Emerging-Sigs] rule syntax problem

Francis Trudeau ftrudeau at emergingthreats.net
Tue Sep 30 17:54:30 EDT 2014


Not sure if this didn't go through before, but have you tried this:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely
Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK
"; depth:5; pcre:"/[^\r\n]{0,7}[A-Z]{2,3}/R";
reference:url,doc.emergingthreats.net/2008124;
classtype:trojan-activity; sid:2008124; rev:5;)

ft



On Tue, Sep 30, 2014 at 3:49 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> HI
>
> I want to modify this rule for local usage (basically swapping RE for “USA" ;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK "; depth:5; content: “USA”; within:10; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)
>
> I want to replace content: “USA”;
> with something like pcre /[A-Z]{2,3}/
>
> If I do so I get an error on the within clause which I take to mean that I can’t use it with a pcre.  Anyone have any suggestions on how to generalise this rule.
>
> BTW I don’t want to just replace USA with NZ since then I won’t pick up laptops that have been infect in the US and then brought home.
>
> Russell
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list