[Intrusions] Assessing Your Malware Exposure with Snort
Keifer, Trey
Trey.Keifer at fishnetsecurity.com
Wed Mar 9 20:50:44 GMT 2005
Does snort automatically decode URL obfuscation? Wouldn't that break your pcre matching if not?
---
Trey Keifer, GCIH
Security Engineer - Level II
Fishnet Security
Direct: 816.701.2073
Main: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.474.0394
http://www.fishnetsecurity.com
> -----Original Message-----
> From: Cory.Bys at fbol.com [mailto:Cory.Bys at fbol.com]
> Sent: Tuesday, February 15, 2005 10:39 AM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] Assessing Your Malware Exposure with Snort
>
> I have written a few thousand Snort rules that are intended
> to detect successful HTTP communication with hosts known to
> be evil. They look for domain names in the Host string so
> they are not subject to evasion by changing IP addresses.
>
> If you would like to give them a try you can grab them from
> http://www.kgb.to/malware.html .
More information about the Intrusions
mailing list