[Emerging-Sigs] .ch.vu sigs

Rodrigo Montoro(Sp0oKeR) spooker at gmail.com
Thu Mar 1 12:56:26 EST 2012


Nice post here about fast_pattern =)

http://vrt-blog.snort.org/2012/02/low-hanging-fruit.html

Regards,


On Mon, Feb 27, 2012 at 4:18 PM, Matthew Jonkman <jonkman at gmail.com> wrote:
> Posting, thanks!
>
> Matt
>
>
> On Feb 24, 2012, at 2:40 PM, harry.tuttle wrote:
>
>> Seeing some badness on .ch.vu.
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.ch.vu domain"; flow: to_server,established; content:".ch.vu|0D 0A|"; fast_pattern:only; http_header; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
>>
>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
>>
>> Regards,
>> Harry
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker


More information about the Emerging-sigs mailing list