[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] RogueAV (.BKM) Sig
From: Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date: 2012-12-31 20:02:59
Message-ID: CAKrkXrNxR8K=k=8gwUPes4SzBCXk91fC_EB5x6bhGM9r4egBjw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Yep. Will probably do 4 sigs. Will cook something up and get into QA.
Thanks!
Regards,
Will
On Mon, Dec 31, 2012 at 12:33 PM, waldo kitty <wkitty42@windstream.net>wrote:
> On 12/31/2012 12:52, yew chuan Ong wrote:
>
> > Hi,
> >
> > I am thinking how we can put all four URI into one signature. Appreciate
> > if
> > anyone can help.
> >
>
> the only way i know would be PCRE but what are you going to anchor the
> initial content match to?
>
> what is wrong with one sig per match? have the MSGs to be the same with a
> numerical indicator which is firing or some such?
> ______________________________**_________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.**emergingthreats.net<Emerging-sigs@lists.emergingthreats.net>
> http://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
[Attachment #5 (text/html)]
Yep. Will probably do 4 sigs. Will cook something up and get into QA. \
Thanks!<br><br>Regards,<br><br>Will<br><br><div class="gmail_quote">On Mon, Dec 31, \
2012 at 12:33 PM, waldo kitty <span dir="ltr"><<a \
href="mailto:wkitty42@windstream.net" \
target="_blank">wkitty42@windstream.net</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="im">On 12/31/2012 12:52, yew chuan Ong wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> Hi,<br>
<br>
I am thinking how we can put all four URI into one signature. Appreciate if<br>
anyone can help.<br>
</blockquote>
<br></div>
the only way i know would be PCRE but what are you going to anchor the initial \
content match to?<br> <br>
what is wrong with one sig per match? have the MSGs to be the same with a numerical \
indicator which is firing or some such?<br> \
______________________________<u></u>_________________<br> Emerging-sigs mailing \
list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.<u></u>emergingthreats.net</a><br> <a \
href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">http://lists.emergingthreats.<u></u>net/mailman/listinfo/emerging-<u></u>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreatspro.com" \
target="_blank">http://www.emergingthreatspro.<u></u>com</a><br> The ONLY place to \
get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through \
Current!<br> </blockquote></div><br>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for \
all versions of Suricata and Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic