Solved

question regarding snort rule

Posted on 2013-11-25
1
1,021 Views
Last Modified: 2013-12-02
Hi,
I am somewhat new to reading snort rule sets.  Can someone translate this for me.  Thanks.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:6;)
0
Comment
Question by:NYGiantsFan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39674941
Alert when a TCP connection from your network connects to an external network on http ports (typically just 80), and when the flow that is established contains the words "User-Agent: SogouIME?".

3a is a colon, that's why they have plain-text mixed with hex (and that's why there are pipe characters in the rule) is so snort and or suricata don't interpret the colon as a rule delimiter. |3a| just means colon, it's an easy escape sequence for that rule, but it's not the only way to do it.
http://doc.emergingthreats.net/2011176
Read down toward the bttom of the references to see what notes might (or might not) be present about the rules.
-rich
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses
Course of the Month5 days, 3 hours left to enroll

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question