[Snort-sigs] Asprox sig

Joel Esler jesler at ...435...
Tue Jul 9 20:48:28 EDT 2013


Thanks James. 

Sent from my iPhone

> On Jul 9, 2013, at 8:29 PM, James Lay <jlay at ...3266...> wrote:
> 
> 
>> On Jul 9, 2013, at 2:33 PM, James Lay <jlay at ...3266...> wrote:
>> 
>>> On 2013-07-09 14:23, lists at ...3397... wrote:
>>>> On 07/09/2013 03:15 PM, James Lay wrote:
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>>> (msg:"msg:"MALWARE-CNC Asprox outbound connection";
>>>> flow:to_server,established; content:"?v="; http_uri; content:"&id=";
>>>> http_uri; within:6; content:"&b="; http_uri; content:"&tm="; 
>>>> http_uri;
>>>> within:7; metadata:impact_flag red, policy balanced-ips drop, policy
>>>> security-ips drop, service http;
>>>> 
>>>> reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/;
>>>> classtype:trojan-activity; sid:10000085; rev:1;)
>>> 
>>> I recommend we had some negations to avoid some falses, for example,
>>> the lack of
>>> proper headers is pretty bogus.  Header ordering is pretty important
>>> too, so I'd
>>> probably do this:
>>> 
>>> content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only;
>>> content!:"Accept"; http_header; {the rest of your content matches for
>>> HTTP URI}
>>> 
>>> Good stuff James, as always.
>>> 
>>> Cheers,
>>> Nathan
>> 
>> Thanks Nathan,
>> 
>> Here's the mod:
> 
> Slight change:
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"msg:"MALWARE-CNC Asprox outbound connection"; flow:to_server,established; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|"; fast_pattern:only; content:!"Accept"; http_header; content:"?v="; http_uri; content:"&id="; http_uri; within:6; content:"&b="; http_uri; content:"&tm="; http_uri; within:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://labs.m86security.com/2010/06/the-asprox-spambot-resurrects/; classtype:trojan-activity; sid:10000085; rev:3;)
> 
> Thanks all.
> 
> James
>> 
>> Running this now in production.
>> 
>> James
>> 
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list