[Snort-sigs] Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"

Joel Esler jesler at ...435...
Mon Mar 5 10:48:41 EST 2012


Nathan, I changed our rule to this:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;)

It fires perfectly.  Thanks for the update.

Joel


On Mar 5, 2012, at 10:36 AM, Joel Esler wrote:

> Thanks Nathan, I'm taking a look at this now.
> 
> 
> On Mar 5, 2012, at 9:24 AM, Community Proposed wrote:
> 
>> Please adjust 21417 to these content matches:
>> 
>> file_data; content:") /CreationDate (D:20110405234628)>>";
>> fast_pattern:only; content:"|0d 0a|%PDF-1.6|0d 0a|"; content:"|0d 0a 31 39 20
>> 30 20 6f 62 6a 0d 0a|"; distance:0; 
>> 
>> The author string appears to be random or varying, however, the PDF
>> header/objects and CreationDate are consistent.
>> 
>> "bub lob" variant:
>> 
>>       0x0000:  4500 0514 0ce9 4000 3106 8081 1fb8 c023  E..... at ...3663....#
>>       0x0010:  0ad7 ccc7 0050 0662 84ea 8112 ad99 a242  .....P.b.......B
>>       0x0020:  5010 0037 0a3d 0000 4854 5450 2f31 2e31  P..7.=..HTTP/1.1
>>       0x0030:  2032 3030 204f 4b0d 0a44 6174 653a 2054  .200.OK..Date:.T
>>       0x0040:  7565 2c20 3134 2046 6562 2032 3031 3220  ue,.14.Feb.2012.
>>       0x0050:  3133 3a35 303a 3536 2047 4d54 0d0a 5365  13:50:56.GMT..Se
>>       0x0060:  7276 6572 3a20 4170 6163 6865 2f32 2e32  rver:.Apache/2.2
>>       0x0070:  2e33 2028 4365 6e74 4f53 290d 0a58 2d50  .3.(CentOS)..X-P
>>       0x0080:  6f77 6572 6564 2d42 793a 2050 4850 2f35  owered-By:.PHP/5
>>       0x0090:  2e33 2e38 0d0a 4163 6365 7074 2d52 616e  .3.8..Accept-Ran
>>       0x00a0:  6765 733a 2062 7974 6573 0d0a 436f 6e74  ges:.bytes..Cont
>>       0x00b0:  656e 742d 4c65 6e67 7468 3a20 3531 3339  ent-Length:.5139
>>       0x00c0:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>       0x00d0:  6974 696f 6e3a 2069 6e6c 696e 653b 2066  ition:.inline;.f
>>       0x00e0:  696c 656e 616d 653d 3937 3130 2e70 6466  ilename=9710.pdf
>>       0x00f0:  0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c  ..Connection:.cl
>>       0x0100:  6f73 650d 0a43 6f6e 7465 6e74 2d54 7970  ose..Content-Typ
>>       0x0110:  653a 2061 7070 6c69 6361 7469 6f6e 2f70  e:.application/p
>>       0x0120:  6466 0d0a 0d0a 2550 4446 2d31 2e36 0d0a  df....%PDF-1.6..
>>       0x0130:  25e2 e3cf d30d 0a31 3920 3020 6f62 6a0d  %......19.0.obj.
>>       0x0140:  0a3c 3c2f 4669 6c74 6572 2f46 6c61 7465  .<</Filter/Flate
>>       0x0150:  4465 636f 6465 202f 4c65 6e67 7468 2032  Decode./Length.2
>>       0x0160:  343e 3e0d 0a73 7472 6561 6d0d 0a78 9c8d  4>>..stream..x..
>>       0x0170:  58db 6edc 3678 9c8d 58db 6edc 3678 9c8d  X.n.6x..X.n.6x..
>>       0x0180:  58db 6edc 360d 0a65 6e64 7374 7265 616d  X.n.6..endstream
>>       0x0190:  0d0a 656e 646f 626a 0d0a 3120 3020 6f62  ..endobj..1.0.ob
>>       0x01a0:  6a0d 0a3c 3c2f 5479 7065 2f50 6167 6520  j..<</Type/Page.
>>       0x01b0:  2f50 6172 656e 7420 3520 3020 5220 2f52  /Parent.5.0.R./R
>>       0x01c0:  6573 6f75 7263 6573 2031 3220 3020 5220  esources.12.0.R.
>>       0x01d0:  2f4d 6564 6961 426f 7820 5b30 2030 2035  /MediaBox.[0.0.5
>>       0x01e0:  3935 2038 3432 5d20 2f43 6f6e 7465 6e74  95.842]./Content
>>       0x01f0:  7320 3139 2030 2052 202f 526f 7461 7465  s.19.0.R./Rotate
>>       0x0200:  2030 3e3e 0d0a 656e 646f 626a 0d0a 3520  .0>>..endobj..5.
>>       0x0210:  3020 6f62 6a20 0d0a 3c3c 2f43 6f75 6e74  0.obj...<</Count
>>       0x0220:  2032 202f 4b69 6473 205b 3120 3020 525d  .2./Kids.[1.0.R]
>>       0x0230:  202f 5479 7065 2f50 6167 6573 3e3e 0d0a  ./Type/Pages>>..
>>       0x0240:  656e 646f 626a 0d0a 3620 3020 6f62 6a0d  endobj..6.0.obj.
>>       0x0250:  0a3c 3c2f 5479 7065 2f46 6f6e 7420 2f53  .<</Type/Font./S
>>       0x0260:  7562 7479 7065 2f54 7970 6531 202f 4261  ubtype/Type1./Ba
>>       0x0270:  7365 466f 6e74 2f54 696d 6573 2d52 6f6d  seFont/Times-Rom
>>       0x0280:  616e 202f 4e61 6d65 2f46 3120 2f45 6e63  an./Name/F1./Enc
>>       0x0290:  6f64 696e 672f 5769 6e41 6e73 6945 6e63  oding/WinAnsiEnc
>>       0x02a0:  6f64 696e 673e 3e0d 0a65 6e64 6f62 6a0d  oding>>..endobj.
>>       0x02b0:  0a31 3220 3020 6f62 6a0d 0a3c 3c2f 5072  .12.0.obj..<</Pr
>>       0x02c0:  6f63 5365 7420 5b2f 5850 4446 202f 5465  ocSet.[/XPDF./Te
>>       0x02d0:  7874 202f 496d 6167 6542 202f 496d 6167  xt./ImageB./Imag
>>       0x02e0:  6543 202f 496d 6167 6549 5d20 2f46 6f6e  eC./ImageI]./Fon
>>       0x02f0:  7420 3c3c 2f46 3120 3620 3020 523e 3e20  t.<</F1.6.0.R>>.
>>       0x0300:  2f58 4f62 6a65 6374 203c 3c3e 3e3e 3e0d  /XObject.<<>>>>.
>>       0x0310:  0a65 6e64 6f62 6a0d 0a39 2030 206f 626a  .endobj..9.0.obj
>>       0x0320:  203c 3c2f 5469 746c 6520 2028 7661 2920  .<</Title..(va).
>>       0x0330:  2f53 7562 6a65 6374 2028 6576 2920 2f41  /Subject.(ev)./A
>>       0x0340:  7574 686f 7220 2879 7670 2064 6576 6f29  uthor.(yvp.devo)
>>       0x0350:  202f 4372 6561 746f 7220 2862 7562 206c  ./Creator.(bub.l
>>       0x0360:  6f62 2920 2f43 7265 6174 696f 6e44 6174  ob)./CreationDat
>>       0x0370:  6520 2844 3a32 3031 3130 3430 3532 3334  e.(D:20110405234
>>       0x0380:  3632 3829 3e3e 0d0a 656e 646f 626a 0d0a  628)>>..endobj..
>>       0x0390:  3239 2030 206f 626a 0d0a 3c3c 2f54 7970  29.0.obj..<</Typ
>>       0x03a0:  652f 456d 6265 6464 6564 4669 6c65 202f  e/EmbeddedFile./
>>       0x03b0:  4669 6c74 6572 2f46 6c61 7465 4465 636f  Filter/FlateDeco
>>       0x03c0:  6465 202f 4c65 6e67 7468 2031 3332 3e3e  de./Length.132>>
>>       0x03d0:  0d0a 7374 7265 616d 0d0a 789c b3b1 afc8  ..stream..x.....
>>       0x03e0:  cd51 284b 2d2a cecc cfb3 5532 d433 5052  .Q(K-*....U2.3PR
>>       0x03f0:  48cd 4bce 4fc9 cc4b b755 0d0a 656e 6473  H.K.O..K.U..ends
>>       0x0400:  7472 6561 6d0d 0a65 6e64 6f62 6a0d 0a38  tream..endobj..8
>>       0x0410:  2030 206f 626a 2020 0d0a 3c3c 2f46 696c  .0.obj....<</Fil
>>       0x0420:  7465 7220 2f46 6c61 7465 4465 636f 6465  ter./FlateDecode
>>       0x0430:  2020 2f4c 656e 6774 6820 3331 3836 3e3e  ../Length.3186>>
>>       0x0440:  0d0a 7374 7265 616d 0d0a 789c ed9d e96f  ..stream..x....o
>> 
>> "yfvfp" variant:
>> 
>>       0x0000:  4500 0514 64f0 4000 3106 54c0 5bd3 581a  E...d. at ...3664....[.X.
>>       0x0010:  0ad7 cc6f 0050 06b6 42c5 013b 8a6d 20d7  ...o.P..B..;.m..
>>       0x0020:  5010 169e 40ac 0000 4854 5450 2f31 2e31  P... at ...3662.../1.1
>>       0x0030:  2032 3030 204f 4b0d 0a44 6174 653a 2053  .200.OK..Date:.S
>>       0x0040:  756e 2c20 3034 204d 6172 2032 3031 3220  un,.04.Mar.2012.
>>       0x0050:  3034 3a31 313a 3134 2047 4d54 0d0a 5365  04:11:14.GMT..Se
>>       0x0060:  7276 6572 3a20 4170 6163 6865 2f32 2e32  rver:.Apache/2.2
>>       0x0070:  2e33 2028 4365 6e74 4f53 290d 0a58 2d50  .3.(CentOS)..X-P
>>       0x0080:  6f77 6572 6564 2d42 793a 2050 4850 2f35  owered-By:.PHP/5
>>       0x0090:  2e33 2e38 0d0a 4163 6365 7074 2d52 616e  .3.8..Accept-Ran
>>       0x00a0:  6765 733a 2062 7974 6573 0d0a 436f 6e74  ges:.bytes..Cont
>>       0x00b0:  656e 742d 4c65 6e67 7468 3a20 3531 3931  ent-Length:.5191
>>       0x00c0:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>       0x00d0:  6974 696f 6e3a 2069 6e6c 696e 653b 2066  ition:.inline;.f
>>       0x00e0:  696c 656e 616d 653d 3135 3538 2e70 6466  ilename=1558.pdf
>>       0x00f0:  0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c  ..Connection:.cl
>>       0x0100:  6f73 650d 0a43 6f6e 7465 6e74 2d54 7970  ose..Content-Typ
>>       0x0110:  653a 2061 7070 6c69 6361 7469 6f6e 2f70  e:.application/p
>>       0x0120:  6466 0d0a 0d0a 2550 4446 2d31 2e36 0d0a  df....%PDF-1.6..
>>       0x0130:  25e2 e3cf d30d 0a31 3920 3020 6f62 6a0d  %......19.0.obj.
>>       0x0140:  0a3c 3c2f 4669 6c74 6572 2f46 6c61 7465  .<</Filter/Flate
>>       0x0150:  4465 636f 6465 202f 4c65 6e67 7468 2032  Decode./Length.2
>>       0x0160:  343e 3e0d 0a73 7472 6561 6d0d 0a78 9c8d  4>>..stream..x..
>>       0x0170:  58db 6edc 3678 9c8d 58db 6edc 3678 9c8d  X.n.6x..X.n.6x..
>>       0x0180:  58db 6edc 360d 0a65 6e64 7374 7265 616d  X.n.6..endstream
>>       0x0190:  0d0a 656e 646f 626a 0d0a 3120 3020 6f62  ..endobj..1.0.ob
>>       0x01a0:  6a0d 0a3c 3c2f 5479 7065 2f50 6167 6520  j..<</Type/Page.
>>       0x01b0:  2f50 6172 656e 7420 3520 3020 5220 2f52  /Parent.5.0.R./R
>>       0x01c0:  6573 6f75 7263 6573 2031 3220 3020 5220  esources.12.0.R.
>>       0x01d0:  2f4d 6564 6961 426f 7820 5b30 2030 2035  /MediaBox.[0.0.5
>>       0x01e0:  3935 2038 3432 5d20 2f43 6f6e 7465 6e74  95.842]./Content
>>       0x01f0:  7320 3139 2030 2052 202f 526f 7461 7465  s.19.0.R./Rotate
>>       0x0200:  2030 3e3e 0d0a 656e 646f 626a 0d0a 3520  .0>>..endobj..5.
>>       0x0210:  3020 6f62 6a20 0d0a 3c3c 2f43 6f75 6e74  0.obj...<</Count
>>       0x0220:  2032 202f 4b69 6473 205b 3120 3020 525d  .2./Kids.[1.0.R]
>>       0x0230:  202f 5479 7065 2f50 6167 6573 3e3e 0d0a  ./Type/Pages>>..
>>       0x0240:  656e 646f 626a 0d0a 3620 3020 6f62 6a0d  endobj..6.0.obj.
>>       0x0250:  0a3c 3c2f 5479 7065 2f46 6f6e 7420 2f53  .<</Type/Font./S
>>       0x0260:  7562 7479 7065 2f54 7970 6531 202f 4261  ubtype/Type1./Ba
>>       0x0270:  7365 466f 6e74 2f54 696d 6573 2d52 6f6d  seFont/Times-Rom
>>       0x0280:  616e 202f 4e61 6d65 2f46 3120 2f45 6e63  an./Name/F1./Enc
>>       0x0290:  6f64 696e 672f 5769 6e41 6e73 6945 6e63  oding/WinAnsiEnc
>>       0x02a0:  6f64 696e 673e 3e0d 0a65 6e64 6f62 6a0d  oding>>..endobj.
>>       0x02b0:  0a31 3220 3020 6f62 6a0d 0a3c 3c2f 5072  .12.0.obj..<</Pr
>>       0x02c0:  6f63 5365 7420 5b2f 5850 4446 202f 5465  ocSet.[/XPDF./Te
>>       0x02d0:  7874 202f 496d 6167 6542 202f 496d 6167  xt./ImageB./Imag
>>       0x02e0:  6543 202f 496d 6167 6549 5d20 2f46 6f6e  eC./ImageI]./Fon
>>       0x02f0:  7420 3c3c 2f46 3120 3620 3020 523e 3e20  t.<</F1.6.0.R>>.
>>       0x0300:  2f58 4f62 6a65 6374 203c 3c3e 3e3e 3e0d  /XObject.<<>>>>.
>>       0x0310:  0a65 6e64 6f62 6a0d 0a39 2030 206f 626a  .endobj..9.0.obj
>>       0x0320:  203c 3c2f 5375 626a 6563 7420 2867 6664  .<</Subject.(gfd
>>       0x0330:  6573 6466 6476 2920 2f54 6974 6c65 2020  esdfdv)./Title..
>>       0x0340:  2867 7376 6466 6466 6461 2920 2f41 7574  (gsvdfdfda)./Aut
>>       0x0350:  686f 7220 2879 6676 6670 2064 6664 6665  hor.(yfvfp.dfdfe
>>       0x0360:  766f 2920 2f43 7265 6174 6f72 2028 6267  vo)./Creator.(bg
>>       0x0370:  6666 7562 206c 6f64 6661 6229 202f 4372  ffub.lodfab)./Cr
>>       0x0380:  6561 7469 6f6e 4461 7465 2028 443a 3230  eationDate.(D:20
>>       0x0390:  3131 3034 3035 3233 3436 3238 293e 3e0d  110405234628)>>.
>>       0x03a0:  0a65 6e64 6f62 6a0d 0a32 3920 3020 6f62  .endobj..29.0.ob
>>       0x03b0:  6a0d 0a3c 3c2f 5479 7065 2f45 6d62 6564  j..<</Type/Embed
>>       0x03c0:  6465 6446 696c 6520 2f46 696c 7465 722f  dedFile./Filter/
>>       0x03d0:  466c 6174 6544 6563 6f64 6520 2f4c 656e  FlateDecode./Len
>>       0x03e0:  6774 6820 333e 3e0d 0a73 7472 6561 6d0d  gth.3>>..stream.
>>       0x03f0:  0a61 7364 0d0a 656e 6473 7472 6561 6d0d  .asd..endstream.
>>       0x0400:  0a65 6e64 6f62 6a0d 0a38 2030 206f 626a  .endobj..8.0.obj
>>       0x0410:  2020 0d0a 3c3c 2020 202f 4669 6c74 6572  ....<<.../Filter
>>       0x0420:  202f 466c 6174 6544 6563 6f64 6520 202f  ./FlateDecode../
>>       0x0430:  4c65 6e67 7468 2033 3138 363e 3e0d 0a73  Length.3186>>..s
>>       0x0440:  7472 6561 6d0d 0a78 9ced 9d69 6f1b 4712  tream..x...io.G.
>> 
>> Thanks,
>> Nathan
>> 
> 





More information about the Snort-sigs mailing list