[Snort-sigs] Context: Malware Blog Post on Dark Comet RAT with Snort Signatures

Jamie Riden jamie.riden at ...2420...
Thu Nov 3 14:11:09 EDT 2011


So there is a bit in the snort manual about optimising rules, e.g.
putting dsize before content matches. (p200 in the 2.9.1 manual).  I
know I read *somewhere* about having at least one content match before
PCRE, but I can't find the reference to it now. Anyone?

The idea being I guess that most packets get discarded pretty quickly
cos they don't match content:"KeepAlive" (quick), and you save the
expensive PCRE in 99.9% of cases.

[full disclosure: I work for a direct competitor of Context - I'm not
saying who :)  ]

cheers,
 Jamie

On 3 November 2011 18:00, Context IS - Disclosure
<disclosure at ...3619...> wrote:
> Thanks guys for your feedback we have updated the signatures on the blog to include the content option, as you suggested.
> Apologises for the apparent advertising.
> Cheers,
> Mike
>
> ________________________________________
> From: Bad Horse [b4dh0rs3 at ...2420...]
> Sent: 03 November 2011 17:27
> To: Martin Holste
> Cc: Context IS - Disclosure; snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Context: Malware Blog Post on Dark Comet RAT with Snort Signatures
>
> Martin,
>
> Thank you for saying this.  I was really trying to be nice here but
> apparently I did not perform due diligence enough to see that the
> Emerging Threats (http://www.emergingthreats.net) community has this
> already covered.  I won't nit-pick the poor quality of the rules
> suggested by disclosure at ...3619... but let's just say it reminds
> me of VRT new-hires (just kidding VRT .. mostly :)
>
> But seriously, I applaud the Emerging Threats community for once again
> being ahead of the threat and beating out competition like Sourcefire
> VRT, ISS X-Force, TippingPoint "Digital Doctors", McAfee "I really
> need a job so I'll take this one" group, Symantec "meh, just pay us"
> team, Checkpoint "you can't be sure but we don't block on the
> Sabbath", and others.
>
> -Bad Horse
>  The Thoroughbred of SYN
>
> On 11/3/11, Martin Holste <mcholste at ...2420...> wrote:
>>> Context Information Security has released a blog post on the Dark Comet
>>> RAT.  The article covers the reverse engineering and analysis of its
>>> functionality, how to decrypt its traffic and snort signatures to detect
>>> its traffic on the wire.
>>>
>>
>> Intel is always welcome on mailing lists, but advertising is not.
>> Your post here is walking a very fine line between the two.
>>
>>>
>>> Signatures:
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Context Signature:
>>> DarkComet-RAT Incoming Keepalive"; flow:from_server,established;
>>> pcre:"/KeepAlive\|\d{7}/"; classtype:trojan-activity; sid:1000001; rev:2;
>>> reference:url,www.contextis.com/research/blog/darkcometrat/;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Context Signature:
>>> DarkComet-RAT Outgoing Keepalive"; flow:to_server,established;
>>> pcre:"/KEEPALIVE\d{7}/"; classtype:trojan-activity; sid:1000002; rev:1;
>>> reference:url,www.contextis.com/research/blog/darkcometrat/;)
>>>
>>
>> These signatures are poor and have had better versions available for
>> free to the Snort community since June 21st via a separate
>> organization on a separate mailing list under sid 2013090.  I have no
>> problem with beginners posting sigs that need improvement, but if you
>> advertise for your company, you lose "beginner" status.
>>
>> ------------------------------------------------------------------------------
>> RSA(R) Conference 2012
>> Save $700 by Nov 18
>> Register now
>> http://p.sf.net/sfu/rsa-sfdev2dev1
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org




More information about the Snort-sigs mailing list