[Snort-sigs] Re: Fp ON 2001702

Colin Grady colin.grady at ...2420...
Mon Jul 4 10:52:10 EDT 2005


You could use the distance or within keywords to force the
content:"Bundle" to follow the content:"User-Agent\: " without using a
pcre. The following might be a good example of a rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity";
flow:established,to_server; content:"User-Agent\: "; nocase;
content:"Bundle"; nocase; within:30; classtype: policy-violation; sid:
2001702; rev:8;)

Perhaps?

Colin


On 7/4/05, Matt Jonkman <matt at ...2436...> wrote:
> I'm adjusting that one and the Grand Street Interactive sigs. I had
> split them up to avoid false positives, but this is causing more on
> those 2 sigs.
> 
> I'm hesitant to pcre these as there are a lot of them. But if I can't
> tune them I'll do that.
> 
> I'm putting this sig back together. The user-agent we're looking for is
> just that, not tacked onto the end of another string. Let me know if
> that does better.
> 
> Thanks
> 
> Matt
> 
> Michael Scheidell wrote:
> > Seems if you have sun java engine on your windows XP engine and attempt
> > to update it, you trigger the 2001702 signature:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
> > "BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
> > established,to_server; content:"User-Agent\: "; nocase;
> > content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
> > rev:6;)
> >
> > Should we not use some type of offset or use pcre to make sure 'Bundle'
> > comes after User-Agent?
> > Maybe this should be looked at for all of the 'user-agent' strings?
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
> > "BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
> > established,to_server; pcre:"/User-Agent\:.*Bundle/i"; classtype:
> > policy-violation; sid: 2001702; rev:7;)
> >
> > 000 : 47 45 54 20 2F 77 65 62 61 70 70 73 2F 64 6F 77   GET /webapps/dow
> > 010 : 6E 6C 6F 61 64 2F 41 75 74 6F 44 4C 3F 42 75 6E   nload/AutoDL?Bun
> > 020 : 64 6C 65 49 64 3D 39 39 39 33 20 48 54 54 50 2F   dleId=9993 HTTP/
> > 030 : 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A   1.1..Accept: */*
> > 040 : 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E   ..Accept-Encodin
> > 050 : 67 3A 20 69 64 65 6E 74 69 74 79 0D 0A 52 61 6E   g: identity..Ran
> > 060 : 67 65 3A 20 62 79 74 65 73 3D 30 2D 34 38 37 31   ge: bytes=0-4871
> > 070 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69   ..User-Agent: Mi
> > 080 : 63 72 6F 73 6F 66 74 20 42 49 54 53 2F 36 2E 36   crosoft BITS/6.6
> > 090 : 0D 0A 48 6F 73 74 3A 20 6A 64 6C 2E 73 75 6E 2E   ..Host: jdl.sun.
> > 0a0 : 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   com..Connection:
> > 0b0 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A       Keep-Alive....
> >
> 
> --
> --------------------------------------------
> Matthew Jonkman, CISSP
> Senior Security Engineer
> Infotex
> 765-429-0398 Direct Anytime
> 765-448-6847 Office
> 866-679-5177 24x7 NOC
> my.infotex.com
> www.offsitefilter.com
> www.bleedingsnort.com
> --------------------------------------------
> 
> 
> NOTICE: The information contained in this email is confidential
> and intended solely for the intended recipient. Any use,
> distribution, transmittal or retransmittal of information
> contained in this email by persons who are not intended
> recipients may be a violation of law and is strictly prohibited.
> If you are not the intended recipient, please contact the sender
> and delete all copies.
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list