[Snort-sigs] Uricontent issue

Matthew Jonkman matt at ...2436...
Fri Jul 9 06:42:06 EDT 2004


Jonathan Miner submitted an adware rule yesterday. I modified it to use 
uricontent since he had only content but was matching on the url requested.

Since I changed it it does not hit. He pointed that out, so I put in 2 
sets of rules identical except one pair was content, the other uricontent.

THe uricontent ones are not hitting, the content ones are. Reliably so 
far. Here they are, as they are on bleeding. Only 2000366 and 2000367 
are hitting.

#Submitted by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
Binet"; content:"/bi/servlet/BIMaster"; nocase; 
content:"abetterinternet.com"; nocase; classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
sid:2000358; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
Binet"; content:"/download/cabs/set_pix.php"; nocase; 
content:"abetterinternet.com"; nocase; classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
sid:2000365; rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
Binet"; uricontent:"/bi/servlet/BIMaster"; nocase; 
content:"abetterinternet.com"; nocase; classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
sid:2000366; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
Binet"; uricontent:"/download/cabs/set_pix.php"; nocase; 
content:"abetterinternet.com"; nocase; classtype: policy-violation; 
reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
sid:2000367; rev:1;)

I have the http preprocessor running, other rules with uricontent do 
hit. Anyone have any theories here? Jonathan had supplied a snoop of a 
matching packet. It's pasted below:

By the way, the second pair are hitting on a ton of stuff. This little 
adware package is pretty widespread in the nets of our clients. And 
they're all pretty aware of adware and such. Worth running the sigs.

Thanks

Matt


IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:   Total length = 651 bytes
IP:   Identification = 54099
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 126 seconds/hops
IP:   Protocol = 6 (TCP)
IP:   Header checksum = e107
IP:   Source address = ###.###.###.###, some_client_workstation
IP:   Destination address = ###.###.###.###, my_proxy_server
IP:   No options
IP:
TCP:  ----- TCP Header -----
TCP:
TCP:  Source port = 3892
TCP:  Destination port = 80 (HTTP)
TCP:  Sequence number = 2633622
TCP:  Acknowledgement number = 791633037
TCP:  Data offset = 20 bytes
TCP:  Flags = 0x18
TCP:        ..0. .... = No urgent pointer
TCP:        ...1 .... = Acknowledgement
TCP:        .... 1... = Push
TCP:        .... .0.. = No reset
TCP:        .... ..0. = No Syn
TCP:        .... ...0 = No Fin
TCP:  Window = 8760
TCP:  Checksum = 0x71ca
TCP:  Urgent pointer = 0
TCP:  No options
TCP:
HTTP: ----- HyperText Transfer Protocol -----
HTTP:
HTTP: GET 
http://s.abetterinternet.com/bi/servlet/BIMaster?adcontext=MOTS_CHECKI
N&contextpeak=0&contextcount=0&countrycodein=US&lastAdTime=0|0|0|0|1087999934|0|
0|0|0|&lastAdCode=5&cookie1=lflshdt%3D1080051120%26lupgid%3D151%26lstlogdt%3D200
40623%26capcntdy%3D12%26lupgdt%3D1087999934482%26cntp%3Dtx%26lupgtry%3D1%26capcn
t%3D12%26&cookie2=lastlstdt%3D1087999934482%26fstcidt%3D1080051120318%26&InstID=
{DA3B4498-307C-4892-BF40-F223951F0957}&DistID=MSIH9112&status=1&smode=7&inststat
=cabbaged&bho=bi.dll&NumWindows=-1 HTTP/1.0
HTTP: User-Agent: {DA3B4498-307C-4892-BF40-F223951F0957}|0.0.4.19
HTTP: Host: s.abetterinternet.com
HTTP:
HTTP:
-- 




More information about the Snort-sigs mailing list