Project

General

Profile

Actions

Bug #6397

closed

detect: multiple legacy buffer selection leading to multi-buffer

Added by Victor Julien about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

A rule like

alert http $HOME_NET any -> $EXTERNAL_NET any \
    (msg:"ET TROJAN Variant.Zusy.45802 Checkin";
    flow:to_server,established;
    content:".php?uid="; fast_pattern:only; http_uri;
    content:"&affid="; http_uri;
    content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; http_user_agent; pcre:"/^$/RV";
    content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/Ui";
    classtype:trojan-activity; sid:2016816; rev:3;)

Would set up 2 "buffers": one for the initial set of contents modified to http_uri, the second for the pcre with /U.

Actions

Also available in: Atom PDF