Solved

question regarding snort rule

Posted on 2013-11-25
1
950 Views
Last Modified: 2013-12-02
Hi,
I am somewhat new to reading snort rule sets.  Can someone translate this for me.  Thanks.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup?)"; flow:established,to_server; content:"User-Agent|3a| SogouIME?"; http_header; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:6;)
0
Comment
Question by:NYGiantsFan
1 Comment
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39674941
Alert when a TCP connection from your network connects to an external network on http ports (typically just 80), and when the flow that is established contains the words "User-Agent: SogouIME?".

3a is a colon, that's why they have plain-text mixed with hex (and that's why there are pipe characters in the rule) is so snort and or suricata don't interpret the colon as a rule delimiter. |3a| just means colon, it's an easy escape sequence for that rule, but it's not the only way to do it.
http://doc.emergingthreats.net/2011176
Read down toward the bttom of the references to see what notes might (or might not) be present about the rules.
-rich
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2 Subnets, 2 routes, failover routing ? 3 41
Cisco switch suggestion 5 51
Running a 2nd company from the same location 3 44
Cloud Security  - encryption needed? 6 39
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question