Solved

question regarding snort rule

Posted on 2013-11-25
1
909 Views
Last Modified: 2013-12-02
Hi,
I am somewhat new to reading snort rule sets.  Can someone translate this for me.  Thanks.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:6;)
0
Comment
Question by:NYGiantsFan
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39674941
Alert when a TCP connection from your network connects to an external network on http ports (typically just 80), and when the flow that is established contains the words "User-Agent: SogouIME?".

3a is a colon, that's why they have plain-text mixed with hex (and that's why there are pipe characters in the rule) is so snort and or suricata don't interpret the colon as a rule delimiter. |3a| just means colon, it's an easy escape sequence for that rule, but it's not the only way to do it.
http://doc.emergingthreats.net/2011176
Read down toward the bttom of the references to see what notes might (or might not) be present about the rules.
-rich
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now