[Intrusions] Assessing Your Malware Exposure with Snort
James Affeld
jamesaffeld at yahoo.com
Thu Mar 10 19:33:48 GMT 2005
I think the http_decode only applies to uricontent
matching. If I'm wrong - someone hit me with the
clue-stick.
--- "Keifer, Trey" <Trey.Keifer at fishnetsecurity.com>
wrote:
> Does snort automatically decode URL obfuscation?
> Wouldn't that break your pcre matching if not?
>
> ---
> Trey Keifer, GCIH
> Security Engineer - Level II
> Fishnet Security
>
> Direct: 816.701.2073
> Main: 816.421.6611
> Toll Free: 888.732.9406
> Fax: 816.474.0394
>
> http://www.fishnetsecurity.com
>
>
>
> > -----Original Message-----
> > From: Cory.Bys at fbol.com [mailto:Cory.Bys at fbol.com]
>
> > Sent: Tuesday, February 15, 2005 10:39 AM
> > To: intrusions at lists.sans.org
> > Subject: [Intrusions] Assessing Your Malware
> Exposure with Snort
> >
> > I have written a few thousand Snort rules that are
> intended
> > to detect successful HTTP communication with hosts
> known to
> > be evil. They look for domain names in the Host
> string so
> > they are not subject to evasion by changing IP
> addresses.
> >
> > If you would like to give them a try you can grab
> them from
> > http://www.kgb.to/malware.html .
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250
More information about the Intrusions
mailing list