[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Feasibility of one off rule
From: "Lay, James" <james.lay () wincofoods ! com>
Date: 2011-06-13 19:56:50
Message-ID: 9CD7E26FAC8E2D4F9778A1609AE132CF06534D90 () goexchange ! go ! winco ! local
[Download RAW message or body]
Thanks for the response gents...appreciate it. Here's a more complete url from my \
logs:
http://web1.51.la:82/go.asp?svid=5&id771531&tpages=1&ttimes&tzone=-6&tcolor$&sSize80,1050&referrerhttp://web1.51.la:82/go.asp?svid \
&idA23038&tpages=1&ttimes=1&tzone=-7&tcolor2&sSize80,1024&referrerhttp://web1.51.la:8 \
2/go.asp?svid=5&id534164&tpages=1&ttimes=1&tzone=-6&tcolor2&sSize52,864&referrer \
Hope that helps. Thanks.
James
From: Alex Kirk [mailto:akirk@sourcefire.com]
Sent: Monday, June 13, 2011 10:54 AM
To: Lay, James
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] Feasibility of one off rule
In principle, probably not a bad idea. In practice, there's a bit of an \
implementation challenge.
The issue is performance. You'd need something to stick in the fast pattern matcher - \
thus, a fixed string that shouldn't be too common - to make it more than "if I see \
traffic on these ports, fire", and thus make it not slow. I suppose you wouldn't see \
"GET" very often on off ports, so that might work; I'd just wonder if there's a more \
consistent piece of the HTTP headers that's a bit longer than 3 characters that we \
could expect to be able to use in a rule like this.
I don't suppose you've got more data than just the URL in question, do you?
On Mon, Jun 13, 2011 at 9:25 AM, Lay, James <james.lay@wincofoods.com> wrote:
Hey all!
Looking through logs today....have come across:
http://web1.51.la:82/go.asp
Which according to malwaredomains.com is no good. I was wondering if it
was feasible or a good idea to even create a rule that would fire on one
or two offs from the standard port? I do see that msn.com uses port 81
for an item:
http://apnxscm.ac3.msn.com:81/CACMSH.ashx?&t=1
These are all blocked anyway, but eh...was curious if this could be a
worthwhile idea. Thanks.
James
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk@sourcefire.com
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic