[Snort-sigs] Coverage for the "Night Dragon" Trojan

Mike Cox mike.cox52 at ...2420...
Thu Feb 10 16:39:23 EST 2011


Agreed ... not trying to ruffle feathers here.  In hindsight, maybe I
should have included a smiley :)  or two :)

-Mike Cox
 1060 West Addison Street
 Chicago, IL 60613
 (773) 404-2827

On Thu, Feb 10, 2011 at 3:26 PM, Matthew Jonkman
<jonkman at ...3525...> wrote:
> Yes, please. Matt and most of the SF folks have been supportive of ET and ET
> Pro, and matt pointing out our oversight was quite charitable. I appreciate
> it.
> The intel we all got on the lists and behind the scenes was pretty clear,
> and there's not a lot of room for sig variation. It's a clear thing to look
> for.
> Lets not ruffle feathers when there's nothing but good being done. :)
> Matt
>
> On Feb 10, 2011, at 4:17 PM, Matt Olney wrote:
>
> Send the bill for what, exactly?
> Let me be especially clear about something.  I've been a supporter of ET for
> a while.  When I'm asked at conferences what to use, I always say to
> evaluate both sets and pick one or both depending on your needs.  I honestly
> believe that there is a place in an operations environment for both.  I do
> not and would not trash the ET project.
> However, it would be a solid waste of my time to troll through the ET list
> looking for sigs.  The signatures are not written with the same goals we
> have, we have an exceptional degree of information coming in that is
> not publicly available and we don't have to do my collaboration over an
> email list.  I can turn around and talk to five people whose duties include
> a substantial amount of daily rule writing.  I have the Snort devs within 20
> yards of me if I need them and at this point there is an exceptionally
> limited set of people who know more about the engine than I do.
> I felt in this case that the level of exposure and the fact that the rule
> that was linked to would flat out not fire obligated me to say something.
>  People depend on your sigs, like they depend on mine.  This issue was high
> profile, and I"m not going to let petty competition cause people trusting
> that rule to not be protected.
> Matt
> On Thu, Feb 10, 2011 at 4:01 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
>>
>> Hmmm ... this sounds like the sig I proposed to Emerging Threats  this
>> morning but got no feedback on.
>>
>> Sourcefire, please let me know where to send the bill.
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|";
>> offset:12; depth:4; http_body;
>> pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P";
>> classtype:trojan-activity;
>>
>> reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf;
>> sid:2011213456;)
>>
>> -Mike Cox
>>
>> On Thu, Feb 10, 2011 at 2:27 PM, Matt Olney <molney at ...435...> wrote:
>> > Hey ET folks who are here...
>> > If you guys could pass on this information:
>> > The rules provided won't fire on Night Dragon C&C traffic..  The
>> > offset:66
>> > is calculated from the beginning of the Layer 2 portion of the packet.
>> >  The
>> > data portion (what Snort looks at) starts at offset 54.  The correct
>> > offset
>> > for the rule should be 12.  Also, you probably want to add a depth:
>> > qualifier of 3 bytes so you don't false positive further down the
>> > packet.
>> > Don't normally check in on you guys, but this was important enough to
>> > check.
>> >
>> > Matt
>> > On Thu, Feb 10, 2011 at 2:47 PM, evilghost at ...3397...
>> > <evilghost at ...3397...> wrote:
>> >>
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >> On 02/10/11 13:41, Joel Esler wrote:
>> >> > Registered users will have the normal 30 day wait.
>> >>
>> >> Joel, I think this is ok to post here...
>> >>
>> >> Those who are looking for coverage who are not VRT subscribers they're
>> >> in
>> >> Emerging-Threats (http://www.emergingthreats.net).
>> >>
>> >> There's an ongoing discussion here regarding several signatures which
>> >> have
>> >> been
>> >> proposed for inclusion, see
>> >>
>> >>
>> >> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
>> >>
>> >> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
>> >> simple/normal community participant there.
>> >>
>> >> - --
>> >> It has been said that "hate" is a powerful emotion, perhaps that's why
>> >> I'm
>> >> so
>> >> strong.
>> >>
>> >> - -evilghost
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Version: GnuPG v1.4.10 (GNU/Linux)
>> >>
>> >> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
>> >> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
>> >> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
>> >> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
>> >> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
>> >> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
>> >> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
>> >> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
>> >> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
>> >> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
>> >> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
>> >> 1sA7AJfGJLvnEdRHpwbi
>> >> =3lHv
>> >> -----END PGP SIGNATURE-----
>> >>
>> >>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio
>> >> XE:
>> >> Pinpoint memory and threading errors before they happen.
>> >> Find and fix more than 250 security defects in the development cycle.
>> >> Locate bottlenecks in serial and parallel code that limit performance.
>> >> http://p.sf.net/sfu/intel-dev2devfeb
>> >> _______________________________________________
>> >> Snort-sigs mailing list
>> >> Snort-sigs at lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> >> http://www.snort.org
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio
>> > XE:
>> > Pinpoint memory and threading errors before they happen.
>> > Find and fix more than 250 security defects in the development cycle.
>> > Locate bottlenecks in serial and parallel code that limit performance.
>> > http://p.sf.net/sfu/intel-dev2devfeb
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> > http://www.snort.org
>> >
>> >
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>




More information about the Snort-sigs mailing list