This is over non-standard ports…buried deep in the packet…seems a lil loose. Any anchors at all we can add?
[ 1456] BA B7 09 CD C1 78 74 DF B3 00 95 79 2D 84 1C F0 …xt…y-…
[ 1472] 38 32 48 B1 DC 26 E2 D5 43 35 7A DE 1C E3 32 E2 82H…&…C5z…2.
[ 1488] D9 6C 86 03 92 61 BB DE B4 77 F7 29 5B 19 48 4C .l…a…w.)[.HL
[ 1504] F8 15 B1 DA BC BC AC AC 9D 20 …
1 Like
Hey James,
This rule was mine, so that’s my bad. Just wanna let you know, I made a slight change to this rule to combine offset:4 and depth:4 to lock that content match to bytes 4-7 as reported by trendmicro in the reference material. That change should be going out tonight in the daily rule release. Usually the daily release is available by about 7pm EST – barring no major problems.
Thanks for reporting this, and for your contributions to the community.
-Tony Robinson
2 Likes
Brilliant…thank you much!
1 Like
Thanks @James_inthe_box @trobinson667 !
1 Like