[Snort-sigs] Suspicious File Extensions

Jason security at ...704...
Mon Jul 19 19:40:02 EDT 2004


There are certainly macro viruses that use .xls, .dot, and .ppt, I've 
not heard of any rtf malware that I recall and pdf is kinda the norm, 
setting the rule to use !$SMTP_SERVERS and having SMTP_SERVERS defined 
correctly should be much less noisy though.


so instead of HOME_NET -> EXTERNAL_NET make it

!$SMTP_SERVERS -> $EXTERNAL_NET and then add a threshold to be more than 
10 in 60 sec and you hsould have a very effective rule.

but that is just MHO.


Matthew Jonkman wrote:
> This rule is up on bleedingsnort.com now. It's a rewrite of the 
> snort.org sid 721. The snort.org rules hits on everything imaginable, 
> most I'm not aware of any credible threats in the file types being 
> detected (i.e. xls, vcf, ppt, rtf, dot, or pdf). This rule is scaled 
> back to not detect those. Please correct me if I'm wrong there.
> 
> Let me know if this is still hitting on the good ones, and if you have 
> an opinion on others to drop or put back in. This makes the rule actualy 
> useful.
> 
> This rule will (should) hit on the following:
> ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, emf, 
> eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi,
> msp, nws, ocx, pif, pl, pm, pot, pps, reg, scr, shs, swf, sys, vb, vbe, 
> vbs, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, wsf, wsh, xlt, xlw
> 
> 
> Be SURE to disable sid 721 in the snort.org sets if you use this rule I 
> think it'll mean more to you in this form.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS 
> OUTBOUND Suspicious Email Attachment"; flow:to_server,established; 
> content:"Content-Disposition|3A|"; nocase; 
> pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[x])|c([ho]m|li|md|pp)|d(iz|ll)|e(m[fl]|xe)|h(lp|sq|ta)|jse 
> 
> ?|m(d[abew]|s[ip])|p(ps|if|[lm]|ot)|reg|s(cr|[hy]s|wf)|v(b[es]?|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; 
> classtype:suspicious-filename-detect; sid:2000562; rev:1;)
> 
> Here's rule 721 from the snort.org sets that this one replaces:
> 
> # (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
> #    All rights reserved.
> # $Id: virus.rules,v 1.25 2004/05/21 21:37:15 cazz Exp $
> #------------
> # VIRUS RULES
> #------------
> #
> # We don't care about virus rules anymore.  BUT, you people won't stop 
> asking
> # us for virus rules.  So... here ya go.
> #
> # There is now one rule that looks for any of the following attachment 
> types:
> #
> #   ade, adp, asd, asf, asx, bat, chm, cli, cmd, com, cpp, diz, dll, 
> dot, emf,
> #   eml, exe, hlp, hsq, hta, ini, js, jse, lnk, mda, mdb, mde, mdw, msi, 
> msp,
> #   nws, ocx, pif, pl, pm, pot, pps, ppt, reg, rtf, scr, shs, swf, sys, vb,
> #   vbe, vbs, vcf, vxd, wmd, wmf, wms, wmz, wpd, wpm, wps, wpz, wsc, 
> wsf, wsh,
> #   xls, xlt, xlw
> #
> 
> #alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad 
> file attachment"; flow:to_server,established; content:"Content-Dispos
> ition|3A|"; nocase; 
> pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[stw]|bat|ini|lnk|nws|ocx) 
> 
> [\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; 
> rev:7;)
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list