这些 Snort 规则是否冗余?

这些 Snort 规则是否冗余?

我正在浏览社区规则。Snort 网页,并注意到以下两条规则:

Rule @ line 2643: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:27625; rev:2;)  

Rule @ line 2644: alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ftp.documents.myPicture.info"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ftp|09|documents|09|myPicture|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:27626; rev:2;)

content第一条规则中的选项 ( )是否不会|09|documents|09|myPicture|04|info|00|使第二条规则变得多余?也就是说,如果第二条规则触发,则第一条规则始终会触发,因为第一条规则的content选项是第二条content规则选项的子字符串 ( |03|ftp|09|documents|09|myPicture|04|info|00|)

答案1

Snort 邮件列表确认这些规则是多余的这次交流

相关内容