[Intrusions] Assessing Your Malware Exposure with Snort

Cory.Bys at fbol.com Cory.Bys at fbol.com
Thu Mar 10 15:28:34 GMT 2005 

One of the advantages of they way we chose to create the rules is that they
do not look at the URL, so URL encoding doesn't matter. They look at the
Host field in the HTTP request header.

To answer your initial question, I believe http_inspect in /etc/snort.conf
normalizes requests but it's tricky to configure correctly so I usually
just disable it.






                                                                           
             "Keifer, Trey"                                                
             <Trey.Keifer at fish                                             
             netsecurity.com>                                           To 
             Sent by:                  "Intrusions List (GCIA Practicals)" 
             intrusions-bounce         <intrusions at lists.sans.org>         
             s at lists.sans.org                                           cc 
                                                                           
                                                                   Subject 
             03/09/2005 02:50          RE: [Intrusions] Assessing Your     
             PM                        Malware Exposure with Snort         
                                                                           
                                                                           
             Please respond to                                             
             "Intrusions List                                              
                  \(GCIA                                                   
               Practicals\)"                                               
             <intrusions at lists                                             
                .sans.org>                                                 
                                                                           
                                                                           




Does snort automatically decode URL obfuscation? Wouldn't that break your
pcre matching if not?

---
Trey Keifer, GCIH
Security Engineer - Level II
Fishnet Security

Direct: 816.701.2073
Main: 816.421.6611
Toll Free: 888.732.9406
Fax: 816.474.0394

http://www.fishnetsecurity.com



> -----Original Message-----
> From: Cory.Bys at fbol.com [mailto:Cory.Bys at fbol.com]
> Sent: Tuesday, February 15, 2005 10:39 AM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] Assessing Your Malware Exposure with Snort
>
> I have written a few thousand Snort rules that are intended
> to detect successful HTTP communication with hosts known to
> be evil. They look for domain names in the Host string so
> they are not subject to evasion by changing IP addresses.
>
> If you would like to give them a try you can grab them from
> http://www.kgb.to/malware.html .


_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions



*******************    N O T I C E    *******************
The information contained in this e-mail, and in any accompanying
documents, may constitute confidential and/or legally privileged
information.  The information is intended only for use by the
designated recipient.  If you are not the intended recipient (or
responsible for the delivery of the message to the intended
recipient), you are hereby notified that any dissemination,
distribution, copying, or other use of, or taking of any action in
reliance on this e-mail is strictly prohibited.  If you have received
this e-mail communication in error, please notify the sender
immediately and delete the message from your system.
***************************************************

More information about the Intrusions mailing list