[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"

Matt Olney molney at ...435...
Wed Feb 29 16:19:34 EST 2012


Um...

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq
structure"; flow:established,from_server; content:")|3b|}catch(qq";
fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;)

THE WAY would be to add file_data; before the content match and remove
fast_pattern:only;  That would be a standardized formatting issue rather
than anything that would affect the performance of the rule.  We remove
fast_pattern:only; because it allows the match outside of the file_data
buffer (not that that would matter in this case, you're not going to see
}catch{qq anywhere else.

Because it is a file, and you're not using any http_inspect buffers, we'd
use $FILE_DATA_PORTS in case it is delivered via mail (saw one like that
yesterday).

Since you're associating with an exploit kit, rather than an active trojan,
and given that exploits are typically aimed at user applications, I'd use
classtype:attempted-user;

So WE would probably write it something like:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS Possible Blackhole landing page with specific catch qq
structure"; flow:to_client,established; file_data;
content:")|3b|}catch(qq"; classtype:attempted-user; sid:x; rev:1;)

Again, primarily cosmetic changes, and does nothing, in this simple case,
to modify the functionality of the rule.

Matt

On Wed, Feb 29, 2012 at 12:39 PM, Community Proposed
<lists at ...3397...>wrote:

> Below is a proposed signature to detect the try{ catch()} approaches used
> by
> the Blackhole exploit kits which to date share a commonality with the
> attachment to "catch(qq".  Looking at all of my PCAP samples these match
> nicely, perform well, and have not been prone to false positives.
>
> This is also doing very well in detecting new Blackhole initial landings
> and
> the various, near daily, changing permutations of the string
> splitting/building methods.  I am seeing a large presence of legitimate
> sites
> which have been compromised now delivering Blackhole.  Some of these are
> k12
> US education/school sites.
>
> 21438 can be retired in place of the proposed above.  Joel, existing PCAPs
> for
> Blackhole landings should suffice for validation of the above, if more are
> needed, please let me know.
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
> SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq
> structure"; flow:established,from_server; content:")|3b|}catch(qq";
> fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;)
>
> I know there is a VRT standard for writing these, please respond to me
> after
> transforming the rule for compliance so that future submissions can adhere
> to
> this standard.  The reference from 21438 can be used here.
>
> Thanks,
> Nathan
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120229/04a465be/attachment.html>


More information about the Snort-sigs mailing list