Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Re: Fp ON 2001702

from [Frank Knobbe] Network Security [Permanent Link]
Subject: [Snort-sigs] Re: Fp ON 2001702
Date: Mon, 04 Jul 2005 12:47:19 -0500 
On Mon, 2005-07-04 at 11:24 -0400, Michael Scheidell wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; content:"User-Agent\: "; nocase;
content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
rev:6;) 

Should we not use some type of offset or use pcre to make sure 'Bundle'
comes after User-Agent?
Maybe this should be looked at for all of the 'user-agent' strings?


Some time ago I went through all User Agent strings and added a distance
option to the actual agent name part. That way it was split up and the
search depth was limited to speed up rule processing and limit false
positives.

It seems that the newly entered rules don't follow that example. I'll go
through later today and add a distance/within to all two-part User-Agent
sigs.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Re: Fp ON 2001702, Matt Jonkman
Next by Date:  Re: [Snort-sigs] Re: Fp ON 2001702, Colin Grady
Previous by Thread:  Re: [Snort-sigs] Re: Fp ON 2001702, Frank Knobbe
Next by Thread:  Re: [Snort-sigs] Fp ON 2001702, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]