[Snort-sigs] Quick uricontent question
jesler at ...435...
Wed Sep 19 17:26:15 EDT 2012
James, in this case %u and such are variable fields. (The theme is digits and the siteID is also digits if it's the first report)
So, what you'd want is something like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound communication"; flow:to_server,established; content:"/counter.img?theme="; nocase; http_uri; content:"&digits="; nocase; http_uri; distance:0; content:"&siteId="; nocase; http_uri; distance:0; pcre:"/theme\=\d+\&digits\=/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx; classtype:trojan-activity;)
Now, I haven't tested this against any pcaps or samples, I simply wrote this freehand by looking at the pdf you linked there.
I'll do some testing and we'll try and get this (or something very similar) out.
Senior Research Engineer, VRT
OpenSource Community Manager
On Sep 19, 2012, at 4:32 PM, James Lay <jlay at ...3266...> wrote:
> So...doing some reading:
> From the text:
> The first phone home mechanism is through a specially crafted HTTP Get
> Request that
> takes the following form:
> GET /<unique ID>/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1\r\n
> Host: <hostname>\r\n
> User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
> So far here's what I have:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE ZeroAccess phone home";
> content:"User-Agent|3a| Opera/9"; http_header;
> As I am reading the info on uricontent, the content is already
> normalized...does that mean I don't have to hex anything with
> "/counter.img?theme="? Or does it matter. Thanks all.
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
More information about the Snort-sigs