1
I was looking through the community.rules made available on the Snort web page, and noticed these two rules:
Rule @ line 2643: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:27625; rev:2;)
Rule @ line 2644: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ftp.documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:27626; rev:2;)
Doesn't the content
option in the first rule (|09|documents|09|myPicture|04|info|00|
) make the 2nd rule redundant? That is, the 1st rule will always trigger if the 2nd rule does because its content
option is a substring of the 2nd's content
option (|03|ftp|09|documents|09|myPicture|04|info|00|
)
Do you have a source? – Canadian Luke – 2015-06-23T16:40:24.917
See the Snort rules email list archive: http://marc.info/?l=snort-sigs&m=143507194315044&w=2
– T.D. Smith – 2015-06-23T17:30:02.963