[Snort-sigs] UTF-8 BOM

James Lay jlay at ...3266...
Mon Apr 8 16:22:37 EDT 2013


On 2013-04-08 14:10, Joel Esler wrote:
> How about something like this James?  (Three rules)
>
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> UTF-8 BOM in zip file attachment detected";
> flow:to_server,established; content:".zip"; fast_pattern:only;
> content:"Content-Disposition: attachment|3B|"; content:"filename=";
> nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
> content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
> drop, policy security-ips drop, ruleset community, service smtp;
> 
> reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
> classtype:trojan-activity;)
>
> alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any
> (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
> flow:to_client,established; content:".zip"; fast_pattern:only;
> content:"Content-Disposition: attachment|3B|"; content:"filename=";
> nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
> content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
> drop, policy security-ips drop, ruleset community, service imap,
> service pop3;
> 
> reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
> classtype:trojan-activity;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
> flow:to_client,established; content:".zip"; fast_pattern:only;
> http_header; content:"filename="; nocase; http_header;
> pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
> content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
> drop, policy security-ips drop, ruleset community, service http;
> 
> reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
> classtype:trojan-activity;)
>

Dammit Joel...you're always look so much better than mine :P  As 
always, thanks a bunch :)

James




More information about the Snort-sigs mailing list