[Snort-sigs] Snort-sigs Digest, Vol 85, Issue 22

James Lay jlay at ...3266...
Wed Jun 26 18:50:38 EDT 2013


On 2013-06-26 16:11, John Cal wrote:
> On Wed, Jun 26, 2013 at 2:28 PM,
> <snort-sigs-request at lists.sourceforge.net [2]> wrote:
>
>> Yippee
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"MALWARE-CNC
>> W32.Trojan.PinkStats outbound connection";
>> flow:to_server,established;
>> content:"User-Agent: Google page|0D 0A|"; fast_pattern:only;
>> http_header; content:"/count.asp?mac="; http_uri; content:"&ver=";
>> http_uri; metadata:impact_flag red, policy balanced-ips drop,
>> policy
>> security-ips drop, service http;
>>
> 
> reference:url,http://www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html
>> [1];
>> classtype:trojan-activity; sid:10000083; rev:1;)
>>
>> Rule 24015 seems to be a cousin MALWARE-CNC W32.Trojan.Magania
>>
>> James
>
> James, are there any benefits to having your rule match the URI
> content before the UA content? I might need to read some additional
> material to understand the order on how a signature is read by Snort,
> but the correct flow would have the URI before the UA header,
> correct? 

I think that would normally be the case, but I'm thinking the 
fast_pattern checks to see if the UA is "Google page" first, then goes 
on with the rest of the check.  fast_pattern still confuses me 
too...what say you group, is that good reasoning for the UA to be 
checked before the URI?

James




More information about the Snort-sigs mailing list