[Snort-sigs] Asprox sig

James Lay jlay at ...3266...
Tue Jul 9 20:29:13 EDT 2013


On Jul 9, 2013, at 2:33 PM, James Lay <jlay at ...3266...> wrote:

> On 2013-07-09 14:23, lists at ...3397... wrote:
>> On 07/09/2013 03:15 PM, James Lay wrote:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"msg:"MALWARE-CNC Asprox outbound connection";
>>> flow:to_server,established; content:"?v="; http_uri; content:"&id=";
>>> http_uri; within:6; content:"&b="; http_uri; content:"&tm="; 
>>> http_uri;
>>> within:7; metadata:impact_flag red, policy balanced-ips drop, policy
>>> security-ips drop, service http;
>>> 
>>> reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/;
>>> classtype:trojan-activity; sid:10000085; rev:1;)
>> 
>> I recommend we had some negations to avoid some falses, for example,
>> the lack of
>> proper headers is pretty bogus.  Header ordering is pretty important
>> too, so I'd
>> probably do this:
>> 
>> content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only;
>> content!:"Accept"; http_header; {the rest of your content matches for
>> HTTP URI}
>> 
>> Good stuff James, as always.
>> 
>> Cheers,
>> Nathan
> 
> Thanks Nathan,
> 
> Here's the mod:
> 

Slight change:


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"msg:"MALWARE-CNC Asprox outbound connection"; flow:to_server,established; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only; content:!"Accept"; http_header; content:"?v="; http_uri; content:"&id="; http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri; within:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/; classtype:trojan-activity; sid:10000085; rev:3;)

Thanks all.

James
> 
> Running this now in production.
> 
> James
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list