[Snort-sigs] Quick uricontent question

Joel Esler jesler at ...435...
Wed Sep 19 17:26:15 EDT 2012


James, in this case %u and such are variable fields.  (The theme is digits and the siteID is also digits if it's the first report)

So, what you'd want is something like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound communication"; flow:to_server,established; content:"/counter.img?theme="; nocase; http_uri; content:"&digits="; nocase; http_uri; distance:0; content:"&siteId="; nocase; http_uri; distance:0; pcre:"/theme\=\d+\&digits\=/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx; classtype:trojan-activity;)

Now, I haven't tested this against any pcaps or samples, I simply wrote this freehand by looking at the pdf you linked there.

I'll do some testing and we'll try and get this (or something very similar) out.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire




On Sep 19, 2012, at 4:32 PM, James Lay <jlay at ...3266...> wrote:

> So...doing some reading:
> 
> http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx
> 
> From the text:
> 
> The first phone home mechanism is through a specially crafted HTTP Get 
> Request that
> takes the following form:
> 
> GET /<unique ID>/counter.img?theme=%u&digits=10&siteId=%u HTTP/1.1\r\n
> Host: <hostname>\r\n
> User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)
> 
> So far here's what I have:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"INDICATOR-COMPROMISE ZeroAccess phone home"; 
> content:"User-Agent|3a| Opera/9"; http_header; 
> uricontent:"/counter.img?theme=";
> 
> As I am reading the info on uricontent, the content is already 
> normalized...does that mean I don't have to hex anything with 
> "/counter.img?theme="?  Or does it matter.  Thanks all.
> 
> James
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list