Solved

question regarding snort rule

Posted on 2013-11-25
1
969 Views
Last Modified: 2013-12-02
Hi,
I am somewhat new to reading snort rule sets.  Can someone translate this for me.  Thanks.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:6;)
0
Comment
Question by:NYGiantsFan
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39674941
Alert when a TCP connection from your network connects to an external network on http ports (typically just 80), and when the flow that is established contains the words "User-Agent: SogouIME?".

3a is a colon, that's why they have plain-text mixed with hex (and that's why there are pipe characters in the rule) is so snort and or suricata don't interpret the colon as a rule delimiter. |3a| just means colon, it's an easy escape sequence for that rule, but it's not the only way to do it.
http://doc.emergingthreats.net/2011176
Read down toward the bttom of the references to see what notes might (or might not) be present about the rules.
-rich
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question