[Snort-sigs] Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)

Joel Esler jesler at ...435...
Mon May 6 17:18:22 EDT 2013


On May 6, 2013, at 5:04 PM, waldo kitty <wkitty42 at ...3507...> wrote:

> On 5/6/2013 13:37, Joel Esler wrote:
>> On May 3, 2013, at 8:54 PM, lists at ...3397... <mailto:lists at ...3397...>
>> wrote:
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
>>> CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from
>>> compromised or malicious WordPress site"; flow:established,from_server;
>>> content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only;
>>> pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity;
>>> reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware
>>> <http://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware>;
>>> sid:x; rev:1;)
>> 
>> Nathan,
>> 
>> Looking at what you are intending here, I think you mean it the other way
>> (HOME_NET -> $EXTERNAL_NET)
> 
> ok... now i'm officially confused... the flow in the rule is "from_server"... 
> with that specified, does it really matter if HOME_NET or EXTERNAL_NET come first?
> 
> then there's the situation of not only detecting this coming into a network from 
> an external server, but also of detecting this going out of a network that runs 
> servers feeding the public on the outside...
> 
> does the '->' really make any difference?
> 
> should it instead have been '<-' if the rule writer really wanted HOME_NET to be 
> first?

There is no such thing as "<-".  

The way that Nathan wrote the rule above says we are looking for a URI to be returned from a server external to our network to a client that initiated the connection.  This wouldn't work.  Which is why I said we need to reverse it to look for HOME_NET -> $EXTERNAL_NET and "to_server" in the flow.  That way we are alerting on someone making an outbound request for a file with the exe extension in the /wp-content/ directory on the server.

> 
> would using '<->' or '<>' (if either is allowed) detect the traffic no matter 
> which way the traffic was going (internal server to external client or external 
> server to internal client) no matter where the server is located??


<> is allowed, but isn't very descriptive from an alert point of view.  Plus, coupled with flow "to_server" you'd want to make sure that your msg was reflective of what you were trying to do in the rule.

http://blog.snort.org/2011/09/flow-matters.html

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130506/fa59fb7d/attachment.html>


More information about the Snort-sigs mailing list