[Snort-sigs] Uricontent issue

Matthew Jonkman matt at ...2436...
Fri Jul 9 07:51:13 EDT 2004


He he, you're right. Other way around. Uri is hitting now, for me at 
least. Hitting a lot, have about 200 unique hits in the last hour. This 
is a widespread piece of adware.

So I'll drop the content versions out in a few minutes. Jonathan, which 
is hitting for you?

Thanks Chad.

Matt

Kreimendahl, Chad J wrote:

> Wait... so they are or they aren't hitting?  366 and 367 are the only
> ones with uricontent... so it's working? 
> 
> -----Original Message-----
> From: Matthew Jonkman [mailto:matt at ...2436...] 
> Sent: Friday, July 09, 2004 8:41 AM
> To: snort-sigs mailinglist
> Cc: Miner, Jonathan W (CSC) (US SSA)
> Subject: [Snort-sigs] Uricontent issue
> 
> Jonathan Miner submitted an adware rule yesterday. I modified it to use 
> uricontent since he had only content but was matching on the url
> requested.
> 
> Since I changed it it does not hit. He pointed that out, so I put in 2 
> sets of rules identical except one pair was content, the other
> uricontent.
> 
> THe uricontent ones are not hitting, the content ones are. Reliably so 
> far. Here they are, as they are on bleeding. Only 2000366 and 2000367 
> are hitting.
> 
> #Submitted by Jonathan Miner
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; content:"/bi/servlet/BIMaster"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000358; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; content:"/download/cabs/set_pix.php"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000365; rev:1;)
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; uricontent:"/bi/servlet/BIMaster"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000366; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; uricontent:"/download/cabs/set_pix.php"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000367; rev:1;)
> 
> I have the http preprocessor running, other rules with uricontent do 
> hit. Anyone have any theories here? Jonathan had supplied a snoop of a 
> matching packet. It's pasted below:
> 
> By the way, the second pair are hitting on a ton of stuff. This little 
> adware package is pretty widespread in the nets of our clients. And 
> they're all pretty aware of adware and such. Worth running the sigs.
> 
> Thanks
> 
> Matt
> 
> 
> IP:   ----- IP Header -----
> IP:
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 651 bytes
> IP:   Identification = 54099
> IP:   Flags = 0x4
> IP:         .1.. .... = do not fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 126 seconds/hops
> IP:   Protocol = 6 (TCP)
> IP:   Header checksum = e107
> IP:   Source address = ###.###.###.###, some_client_workstation
> IP:   Destination address = ###.###.###.###, my_proxy_server
> IP:   No options
> IP:
> TCP:  ----- TCP Header -----
> TCP:
> TCP:  Source port = 3892
> TCP:  Destination port = 80 (HTTP)
> TCP:  Sequence number = 2633622
> TCP:  Acknowledgement number = 791633037
> TCP:  Data offset = 20 bytes
> TCP:  Flags = 0x18
> TCP:        ..0. .... = No urgent pointer
> TCP:        ...1 .... = Acknowledgement
> TCP:        .... 1... = Push
> TCP:        .... .0.. = No reset
> TCP:        .... ..0. = No Syn
> TCP:        .... ...0 = No Fin
> TCP:  Window = 8760
> TCP:  Checksum = 0x71ca
> TCP:  Urgent pointer = 0
> TCP:  No options
> TCP:
> HTTP: ----- HyperText Transfer Protocol -----
> HTTP:
> HTTP: GET 
> http://s.abetterinternet.com/bi/servlet/BIMaster?adcontext=MOTS_CHECKI
> N&contextpeak=0&contextcount=0&countrycodein=US&lastAdTime=0|0|0|0|10879
> 99934|0|
> 0|0|0|&lastAdCode=5&cookie1=lflshdt%3D1080051120%26lupgid%3D151%26lstlog
> dt%3D200
> 40623%26capcntdy%3D12%26lupgdt%3D1087999934482%26cntp%3Dtx%26lupgtry%3D1
> %26capcn
> t%3D12%26&cookie2=lastlstdt%3D1087999934482%26fstcidt%3D1080051120318%26
> &InstID=
> {DA3B4498-307C-4892-BF40-F223951F0957}&DistID=MSIH9112&status=1&smode=7&
> inststat
> =cabbaged&bho=bi.dll&NumWindows=-1 HTTP/1.0
> HTTP: User-Agent: {DA3B4498-307C-4892-BF40-F223951F0957}|0.0.4.19
> HTTP: Host: s.abetterinternet.com
> HTTP:
> HTTP:

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list