Solved

question regarding snort rule

Posted on 2013-11-25
1
995 Views
Last Modified: 2013-12-02
Hi,
I am somewhat new to reading snort rule sets.  Can someone translate this for me.  Thanks.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:6;)
0
Comment
Question by:NYGiantsFan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39674941
Alert when a TCP connection from your network connects to an external network on http ports (typically just 80), and when the flow that is established contains the words "User-Agent: SogouIME?".

3a is a colon, that's why they have plain-text mixed with hex (and that's why there are pipe characters in the rule) is so snort and or suricata don't interpret the colon as a rule delimiter. |3a| just means colon, it's an easy escape sequence for that rule, but it's not the only way to do it.
http://doc.emergingthreats.net/2011176
Read down toward the bttom of the references to see what notes might (or might not) be present about the rules.
-rich
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best book for Internet security 4 52
How to become System Integration engineer 3 74
Network access 24 58
Having private conversations... 3 24
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question