[Snort-sigs] Help

Chad Gross cgross at ...3257...
Sun Oct 22 22:39:33 EDT 2006



-----Original Message-----
From: snort-sigs-bounces at lists.sourceforge.net
[mailto:snort-sigs-bounces at lists.sourceforge.net] On Behalf Of
snort-sigs-request at lists.sourceforge.net
Sent: Thursday, October 19, 2006 7:49 AM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs Digest, Vol 5, Issue 8

Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-owner at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Sourcefire VRT Certified Rules Update (Sourcefire VRT)
   2. False Positive (Adam Clinch)
   3. False postive SID 7100 (East, Bill)
   4. Bleeding Edge Threats Daily Update (bleeding at ...3254...)
   5. Bleeding Edge Threats Daily Update (bleeding at ...3254...)
   6. Error in oracle rule... (Jay 'Whip' Grizzard)


----------------------------------------------------------------------

Message: 1
Date: Wed, 18 Oct 2006 18:05:19 -0400
From: Sourcefire VRT <research at ...435...>
Subject: [Snort-sigs] Sourcefire VRT Certified Rules Update
To: Snort Sigs <snort-sigs at lists.sourceforge.net>
Message-ID: <4536A51F.9020008 at ...435...>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Rules Update

Synopsis:
The Sourcefire VRT has added multiple rules in the spyware-put and
backdoor categories to provide coverage for emerging spyware and trojan
horse threats. The VRT has also updated numerous rules in the FTP
category to accommodate larger default values for FTP services,
additionally reference information has been added and improved
throughout the VRT Certified Rule Set.


Details:
As a result of ongoing research, the Sourcefire VRT has added multiple
rules to the spyware and backdoor rule sets to provide coverage for
emerging threats from these technologies.

A number of rules in the FTP rule category have been updated to
accommodate larger default values in some FTP services.

The VRT has also updated and added reference information throughout the
entire Sourcefire VRT Certified Rule Set.

For a complete list of new and modified rules:

http://www.snort.org/rules/docs/ruleset_changelogs/changes-2006-10-18.ht
ml

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFFNqUfMpm0ve0NhMcRAv9SAJ0QLYKWSfVWR2vU0/azL4Bowa/iDQCgooOa
3PR6taVgZFnVslLJYSTYEaU=
=pGnz
-----END PGP SIGNATURE-----



------------------------------

Message: 2
Date: Fri, 29 Sep 2006 20:03:35 +1000
From: Adam Clinch <adam.clinch at ...2420...>
Subject: [Snort-sigs] False Positive
To: snort-sigs at lists.sourceforge.net
Message-ID: <451CEF77.2040301 at ...2420...>
Content-Type: text/plain; charset="iso-8859-1"

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
spyware-put.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"SPYWARE-PUT Adware hxdl runtime detection - crypt user-agent";
flow:to_server,established; content:"User-Agent|3A|"; nocase;
content:"CryptRetrieveObjectByUrl|3A 3A|InetSchemeProvider"; distance:0;
nocase;
pcre:"/^User-Agent\x3A[^\r\n]+CryptRetrieveObjectByUrl\x3A\x3AInetScheme
Provider/smi";
reference:url,www.spywareguide.com/product_show.php?id=516;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079;
classtype:misc-activity; sid:7555; rev:1;)

--
Sid:
7555 
--
Summary:
 This event is generated when activity relating to a spyware application
is detected. 
--
Impact:
 Unkown. Possible information disclosure, violation of privacy, possible
violation of policy.
--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
Triggers on crl.microsoft.com


source addr 	  dest addr   	Ver 	Hdr Len 	TOS 	length
ID 	flags 
offset 	TTL 	chksum
147.10.195.135 
<http://192.168.0.254/acid/acid_stat_ipaddr.php?ip=147.10.195.135&netmas
k=32> 
	131.107.115.28 
<http://192.168.0.254/acid/acid_stat_ipaddr.php?ip=131.107.115.28&netmas
k=32> 
	4 	5 	0 	461 	15547 	0 	0 	64
44886

000 : 47 45 54 20 2F 70 6B 69 2F 63 72 6C 2F 70 72 6F   GET /pki/crl/pro
010 : 64 75 63 74 73 2F 43 6F 64 65 53 69 67 6E 50 43   ducts/CodeSignPC
020 : 41 2E 63 72 6C 20 48 54 54 50 2F 31 2E 30 0D 0A   A.crl HTTP/1.0..
030 : 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65   Accept: */*..Use
040 : 72 2D 41 67 65 6E 74 3A 20 43 72 79 70 74 52 65   r-Agent: CryptRe
050 : 74 72 69 65 76 65 4F 62 6A 65 63 74 42 79 55 72   trieveObjectByUr
060 : 6C 3A 3A 49 6E 65 74 53 63 68 65 6D 65 50 72 6F   l::InetSchemePro
070 : 76 69 64 65 72 0D 0A 48 6F 73 74 3A 20 63 72 6C   vider..Host: crl
080 : 2E 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 0D 0A   .microsoft.com..
090 : 43 6F 6F 6B 69 65 3A 20 73 5F 6E 72 3D 31 31 35   Cookie: s_nr=115
0a0 : 38 39 38 38 31 37 36 35 35 30 3B 20 57 54 5F 46   8988176550; WT_F
0b0 : 50 43 3D 69 64 3D 31 34 37 2E 31 30 2E 31 39 35   PC=id=147.10.195
0c0 : 2E 31 33 35 2D 31 31 33 34 36 37 32 31 31 32 2E   .135-1134672112.
0d0 : 32 39 38 31 30 33 37 38 3A 6C 76 3D 31 31 35 38   29810378:lv=1158
0e0 : 39 32 33 33 35 37 38 32 30 3A 73 73 3D 31 31 35   923357820:ss=115
0f0 : 38 39 35 32 31 30 35 39 31 30 3B 20 4D 43 31 3D   8952105910; MC1=
100 : 47 55 49 44 3D 39 30 62 34 38 64 36 39 61 63 64   GUID=90b48d69acd
110 : 66 32 65 34 64 61 39 34 61 63 38 63 66 32 33 34   f2e4da94ac8cf234
120 : 61 62 33 61 39 26 48 41 53 48 3D 36 39 38 64 26   ab3a9&HASH=698d&
130 : 4C 56 3D 32 30 30 36 39 26 56 3D 33 3B 20 41 3D   LV=20069&V=3; A=
140 : 49 26 49 3D 41 78 55 46 41 41 41 41 41 41 43 57   I&I=AxUFAAAAAACW
150 : 42 77 41 41 7A 53 39 42 54 35 4A 4A 2B 39 6A 34   BwAAzS9BT5JJ+9j4
160 : 36 46 75 6C 6A 58 30 65 74 67 21 21 0D 0A 43 61   6FuljX0etg!!..Ca
170 : 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D   che-Control: no-
180 : 63 61 63 68 65 2C 20 6D 61 78 2D 61 67 65 3D 32   cache, max-age=2
190 : 35 39 32 30 30 0D 0A 0D 0A                        59200....


--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://sourceforge.net/mailarchive/forum.php?forum=snort-sigs/attachment
s/20060929/d1c0cb57/attachment.html 

------------------------------

Message: 3
Date: Wed, 4 Oct 2006 09:51:50 -0400
From: "East, Bill" <eastb at ...627...>
Subject: [Snort-sigs] False postive SID 7100
To: <snort-sigs at lists.sourceforge.net>
Message-ID:
	<DB70207C75570343BD590F95BA86ADBC010D15E9 at ...3248...>

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  BACKDOOR mass connect 1.1 runtime detection - http

--
Sid: 7100

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives: Numara Software, makers of TrackIt! audit software,
also use the UtilMind useragent to pull down content. This is sufficient
to trigger the rule.

--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:




------------------------------

Message: 4
Date: Tue, 17 Oct 2006 21:00:10 -0400 (EDT)
From: bleeding at ...3254...
Subject: [Snort-sigs] Bleeding Edge Threats Daily Update
To: snort-sigs at lists.sourceforge.net
Message-ID: <20061018010010.65F1A5502A1 at ...3098...>
Content-Type: text/plain


[***] Results from Oinkmaster started Tue Oct 17 21:00:10 2006 [***]

[+++]          Added rules:          [+++]

 2003118 - BLEEDING-EDGE VIRUS SHELLCODE Shikata Ga Nai polymorphic
payload (bleeding-virus.rules)
 2003119 - BLEEDING-EDGE VIRUS SHELLCODE ADMutate polymorphic payload
(bleeding-virus.rules)
 2003120 - BLEEDING-EDGE POLICY Possible Image Spam Inbound (3)
(bleeding-policy.rules)
 2003121 - BLEEDING-EDGE docs.google.com Activity
(bleeding-policy.rules)
 2003122 - BLEEDING-EDGE Possible docs.google.com Activity
(bleeding-policy.rules)


[///]     Modified active rules:     [///]

 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING
(bleeding-dshield-BLOCK.rules)
 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)
(bleeding-botcc.rules)
 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)
(bleeding-botcc.rules)
 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)
(bleeding-botcc.rules)
 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)
(bleeding-botcc.rules)
 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)
(bleeding-botcc.rules)
 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)


[---]         Removed rules:         [---]

 2003118 - BLEEDING-EDGE POLICY Possible Image Spam Inbound (3)
(bleeding-policy.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-policy.rules (1):
        # Submitted 2006-10-17 by Adam Nunn

     -> Added to bleeding-sid-msg.map (5):
        2003118 || BLEEDING-EDGE VIRUS SHELLCODE Shikata Ga Nai
polymorphic payload || url,toorcon.org/2006/conference.html?id=29
        2003119 || BLEEDING-EDGE VIRUS SHELLCODE ADMutate polymorphic
payload || url,toorcon.org/2006/conference.html?id=29
        2003120 || BLEEDING-EDGE POLICY Possible Image Spam Inbound (3)
        2003121 || BLEEDING-EDGE docs.google.com Activity ||
url,docs.google.com
        2003122 || BLEEDING-EDGE Possible docs.google.com Activity ||
url,docs.google.com

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (1):
        2003118 || BLEEDING-EDGE POLICY Possible Image Spam Inbound (3)

     -> Removed from bleeding-virus.rules (2):
        #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
VIRUS SHELLCODE Shikata Ga Nai polymorphic payload";
classtype:shellcode-detect; dsize: >26; content: "|d9 74 24 f4|"; pcre:
"/[\x29\x2b\x31\x33]\xc9/sm"; pcre:
"/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/s
m";  pcre:
"/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\
xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00]
[^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x
47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\
xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\
x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x
78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e
-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33
\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^
\x00][^\x00][^\x00][\x24\
 
xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9]
[^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x5
8\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\
xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x3
1\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\
x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb
\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm";
reference:url,toorcon.org/2006/conference.html?id=29; sid;2003118;
rev:1;)
        #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
VIRUS SHELLCODE ADMutate polymorphic payload";
classtype:shellcode-detect; dsize: >45; content: "|e8|"; content: "|ff
ff ff|"; distance: 1; within: 3; pcre:
"/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec
\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\
x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.
\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x0
9\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0
,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x
96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\
xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm";
reference:url,toorcon.org/2006/conference.html?id=29; sid;2003119;
rev:1;)




------------------------------

Message: 5
Date: Wed, 18 Oct 2006 21:00:09 -0400 (EDT)
From: bleeding at ...3254...
Subject: [Snort-sigs] Bleeding Edge Threats Daily Update
To: snort-sigs at lists.sourceforge.net
Message-ID: <20061019010009.474F155026A at ...3098...>
Content-Type: text/plain


[***] Results from Oinkmaster started Wed Oct 18 21:00:07 2006 [***]

[///]     Modified active rules:     [///]

 2001850 - BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer
Requested (1) (bleeding-malware.rules)
 2002093 - BLEEDING-EDGE MALWARE Likely Trojan/Spyware Installer
Requested (2) (bleeding-malware.rules)
 2002697 - BLEEDING-EDGE EXPLOIT CVSTrac filediff Arbitrary Remote Code
Execution (bleeding-exploit.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source
(bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source - BLOCKING
(bleeding-dshield-BLOCK.rules)
 2410000 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1)
(bleeding-botcc.rules)
 2410001 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 2)
(bleeding-botcc.rules)
 2410002 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 3)
(bleeding-botcc.rules)
 2410003 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 4)
(bleeding-botcc.rules)
 2410004 - BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 5)
(bleeding-botcc.rules)
 2411000 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 1) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411001 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 2) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411002 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 3) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411003 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 4) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)
 2411004 - BLEEDING-EDGE DROP Known Bot C&C Traffic (group 5) - BLOCKING
SOURCE (bleeding-botcc-BLOCK.rules)


[///]    Modified inactive rules:    [///]

 2002692 - BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic -
Possible Infected Host (bleeding.rules)


[*] Non-rule line modifications: [*]
    None.




------------------------------

Message: 6
Date: Fri, 22 Sep 2006 15:57:43 -0700
From: Jay 'Whip' Grizzard <elfchief at ...3249...>
Subject: [Snort-sigs] Error in oracle rule...
To: snort-sigs at lists.sourceforge.net
Message-ID: <20060922225743.GK7734 at ...3250...>
Content-Type: text/plain; charset=us-ascii

I'm not certain where the right place to send bug reports in rules to
is,
and haven't been able to find specific data, so I'll try here.

I think that the oracle 'user name buffer overflow attempt' rule (sid
2650) 
is wrong and does not check for the correct string.

It currently reads (relevant snippet):

content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|";
within:1000

0x28 = (
0x22 = "

... which is basically saying to match on the string "(user=" if there's
not
a quote within the next thousand characters.

What I think it's *supposed* to do is to match if there's not a closing
parenthesis within the next thousand characters, since the string used
in actual requests is "(user=<username>)". 

So I think the rule should actually be (again, relevant snippet):

content:"|28|user="; nocase; isdataat:1000,relative; content:!"|29|";
within:1000

Thanks for your attention.

-jay



------------------------------

------------------------------------------------------------------------
-
Using Tomcat but need to do more? Need to support web services,
security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache
Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest, Vol 5, Issue 8
****************************************

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.5/485 - Release Date:
10/19/2006
 
  

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.408 / Virus Database: 268.13.9/490 - Release Date:
10/20/2006
 





More information about the Snort-sigs mailing list