[Snort-sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
jesler at ...435...
Mon May 6 13:37:13 EDT 2013
On May 3, 2013, at 8:54 PM, lists at ...3397... wrote:
> On 05/03/2013 05:57 PM, James Lay wrote:
> Here's my go at it, I'm using Emerging-Threats style/nomenclature not because
> it's what's "right" but simply because it's what I'm acclimated to. Please no
> flamewar for cross-posting. Gratuitous hex to avoid line-wrap.
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
> CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from
> compromised or malicious WordPress site"; flow:established,from_server;
> content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only;
> pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity;
> sid:x; rev:1;)
Looking at what you are intending here, I think you mean it the other way (HOME_NET -> $EXTERNAL_NET)
I rewrote the rule to reflect that and put it in Malware-cnc.
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS/VRT_COMMUNITY Sirefef Fake Opera 10 User-Agent";
> flow:established,to_server; content:"Opera/10|20|"; http_header;
> fast_pattern:only; content:!"Accept"; http_header; classtype:trojan-activity;
> reference:url,dev.opera.com/articles/view/opera-ua-string-changes; sid:x; rev:1;)
Adding this to the blacklist category.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs