[Snort-sigs] UTF-8 BOM

Joel Esler jesler at ...435...
Tue Apr 9 17:17:41 EDT 2013


Yup. Caught those already. I'm testing them. 

--
Joel Esler
Sent from my iPhone 

On Apr 9, 2013, at 3:06 PM, rmkml <rmkml at ...174...> wrote:

> Hi,
> 
> Thx for sharing,
> 
> -maybe change B4 to 4B ?
> 
> -for http sig, maybe add H on pcre ?
> 
> Best Regards
> Rmkml
> 
> 
> On Mon, 8 Apr 2013, Joel Esler wrote:
> 
>> On Apr 8, 2013, at 4:22 PM, James Lay <jlay at ...3266...> wrote:
>>      On 2013-04-08 14:10, Joel Esler wrote:
>>            How about something like this James?  (Three rules)
>> 
>>            alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
>>            UTF-8 BOM in zip file attachment detected";
>>            flow:to_server,established; content:".zip"; fast_pattern:only;
>>            content:"Content-Disposition: attachment|3B|"; content:"filename=";
>>            nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
>>            content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
>>            drop, policy security-ips drop, ruleset community, service smtp;
>>            reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
>>            classtype:trojan-activity;)
>> 
>>            alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any
>>            (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
>>            flow:to_client,established; content:".zip"; fast_pattern:only;
>>            content:"Content-Disposition: attachment|3B|"; content:"filename=";
>>            nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
>>            content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
>>            drop, policy security-ips drop, ruleset community, service imap,
>>            service pop3;
>>            reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
>>            classtype:trojan-activity;)
>> 
>>            alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>            (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
>>            flow:to_client,established; content:".zip"; fast_pattern:only;
>>            http_header; content:"filename="; nocase; http_header;
>>            pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
>>            content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
>>            drop, policy security-ips drop, ruleset community, service http;
>>            reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
>>            classtype:trojan-activity;)
>> 
>>      Dammit Joel...you're always look so much better than mine :P  As always, thanks a bunch :)
>> :D
>> Alright, I have these in the test system, let's see how they do.
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130409/7390ae98/attachment.html>


More information about the Snort-sigs mailing list