[Snort-sigs] [Emerging-Sigs] Coverage for the "Night Dragon" Trojan

Nick Randolph randolphdavidn at ...2420...
Thu Feb 10 16:19:47 EST 2011


I missed that on the offset and depth.

On Thu, Feb 10, 2011 at 4:01 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
> Hmmm ... this sounds like the sig I proposed to Emerging Threats  this
> morning but got no feedback on.
>
> Sourcefire, please let me know where to send the bill.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|";
> offset:12; depth:4; http_body;
> pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P";
> classtype:trojan-activity;
> reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf;
> sid:2011213456;)
>
> -Mike Cox
>
> On Thu, Feb 10, 2011 at 2:27 PM, Matt Olney <molney at ...435...> wrote:
>> Hey ET folks who are here...
>> If you guys could pass on this information:
>> The rules provided won't fire on Night Dragon C&C traffic..  The offset:66
>> is calculated from the beginning of the Layer 2 portion of the packet.  The
>> data portion (what Snort looks at) starts at offset 54.  The correct offset
>> for the rule should be 12.  Also, you probably want to add a depth:
>> qualifier of 3 bytes so you don't false positive further down the packet.
>> Don't normally check in on you guys, but this was important enough to check.
>>
>> Matt
>> On Thu, Feb 10, 2011 at 2:47 PM, evilghost at ...3397...
>> <evilghost at ...3397...> wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 02/10/11 13:41, Joel Esler wrote:
>>> > Registered users will have the normal 30 day wait.
>>>
>>> Joel, I think this is ok to post here...
>>>
>>> Those who are looking for coverage who are not VRT subscribers they're in
>>> Emerging-Threats (http://www.emergingthreats.net).
>>>
>>> There's an ongoing discussion here regarding several signatures which have
>>> been
>>> proposed for inclusion, see
>>>
>>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
>>>
>>> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
>>> simple/normal community participant there.
>>>
>>> - --
>>> It has been said that "hate" is a powerful emotion, perhaps that's why I'm
>>> so
>>> strong.
>>>
>>> - -evilghost
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.10 (GNU/Linux)
>>>
>>> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
>>> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
>>> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
>>> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
>>> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
>>> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
>>> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
>>> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
>>> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
>>> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
>>> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
>>> 1sA7AJfGJLvnEdRHpwbi
>>> =3lHv
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>> Pinpoint memory and threading errors before they happen.
>>> Find and fix more than 250 security defects in the development cycle.
>>> Locate bottlenecks in serial and parallel code that limit performance.
>>> http://p.sf.net/sfu/intel-dev2devfeb
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>> http://www.snort.org
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>




More information about the Snort-sigs mailing list