[Snort-sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)

Joel Esler jesler at ...435...
Mon May 6 12:53:16 EDT 2013


Thanks Nathan I'll run these through.

On May 3, 2013, at 8:54 PM, lists at ...3397... wrote:

> On 05/03/2013 05:57 PM, James Lay wrote:
>> https://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware/
>> 
>> YAY
>> 
>> James
> 
> Here's my go at it, I'm using Emerging-Threats[1] style/nomenclature not because
> it's what's "right" but simply because it's what I'm acclimated to.  Please no
> flamewar for cross-posting.  Gratuitous hex to avoid line-wrap.
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from
> compromised or malicious WordPress site"; flow:established,from_server;
> content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only;
> pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity;
> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware;
> sid:x; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS/VRT_COMMUNITY Sirefef Fake Opera 10 User-Agent";
> flow:established,to_server; content:"Opera/10|20|"; http_header;
> fast_pattern:only; content:!"Accept"; http_header; classtype:trojan-activity;
> reference:url,dev.opera.com/articles/view/opera-ua-string-changes; sid:x; rev:1;)
> 
> Been a long day, flame me accordingly if this ends up being garbage sigs.  Best
> wishes to all, thanks James for your keen eye (as always).
> 
> [1] http://www.emergingthreats.net/open-source/open-source-overview/
> 
> Cheers,
> Nathan
> 
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list