[unisog] Snort woes

H. Morrow Long morrow.long at yale.edu
Mon Jan 24 15:44:21 GMT 2005


On Jan 24, 2005, at 3:51 AM, Valdis.Kletnieks at vt.edu wrote:
> Could you please post the definition of that rule?  It's hard to 
> figure out
> what it's problem is if we don't have the rule handy  (or at least I 
> can't
> intuit it at 3:51AM without the rule.. :)

Valdis -

Russell has probably gone to sleep, it being either
yesterday or tomorrow over there in Kiwiland (is
he just about to wake up?).  Anyway, here's the stock
Bleeding Edge Snort rule for the malware known
as the 'Fun Web Products Agent ' (you can find the
current Bleeding Edge Snort signatures in the file
http://www.bleedingsnort.com/bleeding-all.rules ):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"BLEEDING-EDGE Malware Fun Web Products Agent Traffic"; 
classtype:policy-violation; reference:url,www.funwebproducts.com; 
content:"FunWebProducts\;"; nocase; flow:to_server,established; 
threshold:type limit, track by_src, count 2, seconds 360; sid:2001034; 
rev:10;)

- H. Morrow Long, CISSP, CISM
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

On Jan 24, 2005, at 3:51 AM, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 24 Jan 2005 17:35:22 +1300, Russell Fulton said:
>
>> SID     CID     TimeStamp               Signature
>> 4       164508  2005-01-24 16:53:31     BLEEDING-EDGE Malware Fun Web
>> Products Agent Traffic
>
>> the rule triggers on content:"FunWebProducts\;"
>>
>> This particular rule is very prone to the problem but I see others as
>> well including snort.org rules.
>
> Could you please post the definition of that rule?  It's hard to 
> figure out
> what it's problem is if we don't have the rule handy  (or at least I 
> can't
> intuit it at 3:51AM without the rule.. :)
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2946 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050124/3f422706/smime-0002.bin


More information about the unisog mailing list