[Snort-sigs] Expiro sigs

Geoffrey Serrao gserrao at ...435...
Thu Nov 14 11:48:48 EST 2013


It looks like these post requests are missing a x5f character in the uri,
which sticks out to me as odd.

Maybe you could add that check . Something like:

content: !"/"; http_uri;

After the second content match. This would add an additional check to avoid
engaging the pcre unless absolutely necessary.
Just throwing that out there as a potential option if you find that this
rule is performance heavy the way it is.


On Thu, Nov 14, 2013 at 10:12 AM, Y M <snort at ...3751...> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Expiro HID post attempt"; flow:to_server,established;
> urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A
> 20|Mozilla"; http_header;
> pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi";
> fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset
> community, service http; reference:url,
> kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
> classtype:trojan-activity; sid:100109; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Expiro HID post attempt"; flow:to_server,established;
> urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A
> 20|Mozilla"; http_header;
> pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi";
> fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset
> community, service http; reference:url,
> kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
> classtype:trojan-activity; sid:100111; rev:1;)
>
> Any help with the pcre is highly appreciated. Also from the reference, its
> not 100% clear to me if the uri of length (13-20) is actually associated
> with POST request.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Geoffrey J. Serrao
SOURCEfire Technical Support
My office hours are 10:00 AM to 7:00 PM Eastern time, Monday - Friday. If
you need assistance outside of these hours, please contact
support at ...435... and another engineer will respond.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131114/f85e0191/attachment.html>


More information about the Snort-sigs mailing list