[Snort-sigs] Fwd: Re: Asprox Sig

James Lay jlay at ...3266...
Tue Nov 12 17:05:37 EST 2013



-------- Original Message --------
Subject: Re: [Snort-sigs] Asprox Sig
Date: 2013-11-12 15:05
 From: James Lay <jlay at ...3266...>
To: Geoffrey Serrao <gserrao at ...435...>

On 2013-11-12 15:00, Geoffrey Serrao wrote:
> Hey James,
>
> Thanks for your contribution. 
>
> Post data is actually stored in the http_client_body buffer (not
> http_header)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-CNC
>  Win32/Asprox Outbound Traffic"; flow:to_server, established;
> content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b|
> WOW64|3b|rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0";
> fast_pattern:only; http_header;
> content:"Content-Disposition|3a| form-data|3b|name=|22|key|22 3b|
> filename=|22|key.bin|22|"; http_client_body;
> 
> reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html
> [7];
> classtype:bad-unknown; sid:10000111; rev:1;)
>
> Looks like a solid rule, the post data looks pretty unique. 
>
> The VRT might recommend adding nocase to the second content match, 
> but
> Im not sure its necessary. 
>
> On Tue, Nov 12, 2013 at 4:05 PM, James Lay <jlay at ...3266...
> [8]> wrote:
>
>> Ok..so how bad did I hose this:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"MALWARE-CNC
>> Win32/Asprox Outbound Traffic"; flow:to_server, established;
>> content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b|
>> WOW64|3b|
>> rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only;
>> http_header; content:"Content-Disposition|3a| form-data|3b|
>> name=|22|key|22 3b| filename=|22|key.bin|22|"; http_header;
>>
> 
> reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html
>> [1];
>> classtype:bad-unknown; sid:10000111; rev:1;)
>>
>> James
>
> Geoffrey J. Serrao
> SOURCEfire Technical Support
> My office hours are 10:00 AM to 7:00 PM Eastern time, Monday - 
> Friday.
> If you need assistance outside of these hours, please contact
> support at ...435... [9] and another engineer will respond.

Thanks Alex and Geoffrey.

Yea I was confused on just where Content-Disposition: landed...is it a 
header, or is it body?  I was thinking of adding both key.bin and 
data.bin, but thought I'd just shoot for the one.  Thank you!

James





More information about the Snort-sigs mailing list