[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BLU148-W29619ECF184243560D9162B45F0@phx.gbl>
Date: Fri, 15 May 2009 10:07:32 -0500
From: John Jacobs <flamdugen@...mail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: ISC Twitter/Google Snort Signatures
Hello FD, first and foremost thank you for the strong effort and excellent signatures. As such, in an attempt to give back to a wonderful community, I humbly submitted the following Snort rules for inclusion into the ET signatures. A brief explanation is provided below:
The first signature is designed to detect Google non-security related announcement articles on the ISC Diary; this seems to be a topic of extreme interest for some ISC Handlers despite having little to no security value. I am unsure if this is a result of "Slow News Day" syndrome or another behavorial oddity which manifests at ISC. This will detect on "Google is slow" style articles as well, however, I am sure this signature will require more tweaking as ISC encourages handing over more personal data to a 3rd party under the guise of functionality.
The second signature is designed to detect Joel peddling Twitter on the isc.sans.org Diary, as again, this isn't security related. I suspect the Twitter signature may tend to fire more than the Google as Joel tends to get excited about "Tweeting" and "Twittering" and this spills over into the ISC Diary anytime he's the "Handler on Duty".
As always, please feel free to make changes to this signatures, especially regarding performance. I've placed these into ET POLICY but they may be more applicable in another classes, perhaps a blocking class. I thank you in advance, feel free to modify for PCRE as well.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY isc.sans.org Access"; flowbits:set,isc_sans; flowbits:noalert; flow:established,to_server; content:"|0D 0A|Host|3A 20|isc|2E|sans|2E|org|0D 0A|"; reference:url,isc.sans.org/; classtype:policy-violation; sid:2009xxxx; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY isc.sans.org SANdlers say Google is slow"; flowbits:isset,isc_sans; flow:established,from_server; content:"google"; nocase; content:"slow"; nocase; reference:url,isc.sans.org/diary.html?storyid=6388; reference:url,isc.sans.org/diary.html?storyid=5443; classtype:policy-annoyance; sid:2009xxxx; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY isc.sans.org Joel Esler Peddling Twitter"; flowbits:isset,isc_sans; flow:established,from_server; content:"Joel|20|Esler"; nocase; content:"Twitter"; nocase; reference:url,isc.sans.org/diary.html?storyid=6391; reference:url,isc.sans.org/diary.html?storyid=6388; classtype:policy-annoyance; sid:2009xxxx; rev:1;)
- John Jacobs
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists