[Snort-sigs] Uricontent issue

Miner, Jonathan W (CSC) (US SSA) jonathan.w.miner at ...2476...
Fri Jul 9 10:12:07 EDT 2004


Sorry.. I've been away from my desk, and have not been paying attention.

I just checked, I have the "uricontent" rule in place, and have gotten ZERO hits from snort. The web proxy log file shows 215 requests.


-----Original Message-----
From:	snort-sigs-admin at lists.sourceforge.net on behalf of Matthew Jonkman
Sent:	Fri 07/09/2004 10:50 AM
To:	Kreimendahl, Chad J
Cc:	snort-sigs mailinglist; Miner, Jonathan W (CSC) (US SSA)
Subject:	Re: [Snort-sigs] Uricontent issue
He he, you're right. Other way around. Uri is hitting now, for me at 
least. Hitting a lot, have about 200 unique hits in the last hour. This 
is a widespread piece of adware.

So I'll drop the content versions out in a few minutes. Jonathan, which 
is hitting for you?

Thanks Chad.

Matt

Kreimendahl, Chad J wrote:

> Wait... so they are or they aren't hitting?  366 and 367 are the only
> ones with uricontent... so it's working? 
> 
> -----Original Message-----
> From: Matthew Jonkman [mailto:matt at ...2436...] 
> Sent: Friday, July 09, 2004 8:41 AM
> To: snort-sigs mailinglist
> Cc: Miner, Jonathan W (CSC) (US SSA)
> Subject: [Snort-sigs] Uricontent issue
> 
> Jonathan Miner submitted an adware rule yesterday. I modified it to use 
> uricontent since he had only content but was matching on the url
> requested.
> 
> Since I changed it it does not hit. He pointed that out, so I put in 2 
> sets of rules identical except one pair was content, the other
> uricontent.
> 
> THe uricontent ones are not hitting, the content ones are. Reliably so 
> far. Here they are, as they are on bleeding. Only 2000366 and 2000367 
> are hitting.
> 
> #Submitted by Jonathan Miner
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; content:"/bi/servlet/BIMaster"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000358; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; content:"/download/cabs/set_pix.php"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000365; rev:1;)
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; uricontent:"/bi/servlet/BIMaster"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000366; rev:2;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Malware 
> Binet"; uricontent:"/download/cabs/set_pix.php"; nocase; 
> content:"abetterinternet.com"; nocase; classtype: policy-violation; 
> reference:url,sarc.com/avcenter/venc/data/pf/adware.binet.html; 
> sid:2000367; rev:1;)
> 
> I have the http preprocessor running, other rules with uricontent do 
> hit. Anyone have any theories here? Jonathan had supplied a snoop of a 
> matching packet. It's pasted below:
> 
> By the way, the second pair are hitting on a ton of stuff. This little 
> adware package is pretty widespread in the nets of our clients. And 
> they're all pretty aware of adware and such. Worth running the sigs.
> 
> Thanks
> 
> Matt
> 
> 
> IP:   ----- IP Header -----
> IP:
> IP:   Version = 4
> IP:   Header length = 20 bytes
> IP:   Type of service = 0x00
> IP:         xxx. .... = 0 (precedence)
> IP:         ...0 .... = normal delay
> IP:         .... 0... = normal throughput
> IP:         .... .0.. = normal reliability
> IP:   Total length = 651 bytes
> IP:   Identification = 54099
> IP:   Flags = 0x4
> IP:         .1.. .... = do not fragment
> IP:         ..0. .... = last fragment
> IP:   Fragment offset = 0 bytes
> IP:   Time to live = 126 seconds/hops
> IP:   Protocol = 6 (TCP)
> IP:   Header checksum = e107
> IP:   Source address = ###.###.###.###, some_client_workstation
> IP:   Destination address = ###.###.###.###, my_proxy_server
> IP:   No options
> IP:
> TCP:  ----- TCP Header -----
> TCP:
> TCP:  Source port = 3892
> TCP:  Destination port = 80 (HTTP)
> TCP:  Sequence number = 2633622
> TCP:  Acknowledgement number = 791633037
> TCP:  Data offset = 20 bytes
> TCP:  Flags = 0x18
> TCP:        ..0. .... = No urgent pointer
> TCP:        ...1 .... = Acknowledgement
> TCP:        .... 1... = Push
> TCP:        .... .0.. = No reset
> TCP:        .... ..0. = No Syn
> TCP:        .... ...0 = No Fin
> TCP:  Window = 8760
> TCP:  Checksum = 0x71ca
> TCP:  Urgent pointer = 0
> TCP:  No options
> TCP:
> HTTP: ----- HyperText Transfer Protocol -----
> HTTP:
> HTTP: GET 
> http://s.abetterinternet.com/bi/servlet/BIMaster?adcontext=MOTS_CHECKI
> N&contextpeak=0&contextcount=0&countrycodein=US&lastAdTime=0|0|0|0|10879
> 99934|0|
> 0|0|0|&lastAdCode=5&cookie1=lflshdt%3D1080051120%26lupgid%3D151%26lstlog
> dt%3D200
> 40623%26capcntdy%3D12%26lupgdt%3D1087999934482%26cntp%3Dtx%26lupgtry%3D1
> %26capcn
> t%3D12%26&cookie2=lastlstdt%3D1087999934482%26fstcidt%3D1080051120318%26
> &InstID=
> {DA3B4498-307C-4892-BF40-F223951F0957}&DistID=MSIH9112&status=1&smode=7&
> inststat
> =cabbaged&bho=bi.dll&NumWindows=-1 HTTP/1.0
> HTTP: User-Agent: {DA3B4498-307C-4892-BF40-F223951F0957}|0.0.4.19
> HTTP: Host: s.abetterinternet.com
> HTTP:
> HTTP:

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs







More information about the Snort-sigs mailing list