[Emerging-Sigs] rule syntax problem

Russell Fulton r.fulton at auckland.ac.nz
Tue Sep 30 18:19:04 EDT 2014


On 1/10/2014, at 10:54 am, Francis Trudeau <ftrudeau at emergingthreats.net> wrote:

> Not sure if this didn't go through before, but have you tried this:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely
> Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK
> "; depth:5; pcre:"/[^\r\n]{0,7}[A-Z]{2,3}/R";
> reference:url,doc.emergingthreats.net/2008124;
> classtype:trojan-activity; sid:2008124; rev:5;)

works a treat!  well at least from a syntax point of view ;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (Country Code +..)"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/[^\r\n]{0,7}[A-Z]{2,3}/R"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)

Perhaps this could be rev 6 ?

The old rule worked with snort and I picked up several bots that had arrived back with travelling academics.

Thanks, Russell.


More information about the Emerging-sigs mailing list