[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] rule syntax problem
From: Russell Fulton <r.fulton () auckland ! ac ! nz>
Date: 2014-09-30 22:19:04
Message-ID: CF51492F-4F7C-424B-9C3D-FD20D9FB2EFE () auckland ! ac ! nz
[Download RAW message or body]
On 1/10/2014, at 10:54 am, Francis Trudeau <ftrudeau@emergingthreats.net> wrote:
> Not sure if this didn't go through before, but have you tried this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely
> Bot Nick in IRC (USA +..)"; flow:established,to_server; content:"NICK
> "; depth:5; pcre:"/[^\r\n]{0,7}[A-Z]{2,3}/R";
> reference:url,doc.emergingthreats.net/2008124;
> classtype:trojan-activity; sid:2008124; rev:5;)
works a treat! well at least from a syntax point of view ;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC \
(Country Code +..)"; flow:established,to_server; content:"NICK "; depth:5; \
pcre:"/[^\r\n]{0,7}[A-Z]{2,3}/R"; reference:url,doc.emergingthreats.net/2008124; \
classtype:trojan-activity; sid:2008124; rev:5;)
Perhaps this could be rev 6 ?
The old rule worked with snort and I picked up several bots that had arrived back \
with travelling academics.
Thanks, Russell.
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic