[Emerging-Sigs] SIG for JAR-Download :: Have you checked the Java?

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 25 19:53:57 EDT 2010


I think it's worth running both, but disabled by default. Any objections?

Matt

On Oct 24, 2010, at 12:27 PM, Mex wrote:

> 
> does this always work with gzip'd and chunk'd content?
> i remember this flaw some weeks ago with older versions of
> snort. 
> 
> if it works i think yours is the better sig; 
> or maybe run them both to see 1. the request and 2. the response?
> 
> 
> 
> 
> 
> Martin Holste wrote:
>> I've been running a JAR sig for a long time, and it's been very
>> helpful for post-mortems or data mining.  My sig is a little
>> different:
>> 
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL JAR
>> file download"; flow:from_server,established; content:"PK"; depth:500;
>> content:"META-INF/"; within:100; content:"MANIFEST"; within:100;
>> classtype:not-suspicious; sid:xxx; rev:1;)
>> 
>> On Sun, Oct 24, 2010 at 4:55 AM, Mex <mail at mare-system.de> wrote:
>>> maybe, deactivated by default for office-networks?
>>> 
>>> http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JAVA JAR
>>> Download Attempt"; flow:established,to_server; uricontent:".jar";
>>> classtype:bad-unknown;
>>> reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; sid:xxxxxxxx;
>>> rev:1;)
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>> 
> 
> -- 
> 
> 
> mex
> 
> 
> Security InfoCenter   .:.   http://www.mare-system.de/sic
> DONT PANIC            .:.   http://www.mare-system.de/emergency 
> MARE System Kiel      .:.   http://www.mare-system.de
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list