[Snort-sigs] Expiro sigs

Carlos Pacho cpacho at ...435...
Thu Nov 14 13:17:25 EST 2013


Thanks!  We'll get these tested.


Carlos Pacho
Research Engineer, VRT
Sourcefire, now part of Cisco
cpacho at ...435...
Sourcefire.com <http://www.sourcefire.com/>


On Thu, Nov 14, 2013 at 10:12 AM, Y M <snort at ...3751...> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Expiro HID post attempt"; flow:to_server,established;
> urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A
> 20|Mozilla"; http_header;
> pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi";
> fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset
> community, service http; reference:url,
> kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
> classtype:trojan-activity; sid:100109; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Expiro HID post attempt"; flow:to_server,established;
> urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A
> 20|Mozilla"; http_header;
> pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi";
> fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset
> community, service http; reference:url,
> kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
> classtype:trojan-activity; sid:100111; rev:1;)
>
> Any help with the pcre is highly appreciated. Also from the reference, its
> not 100% clear to me if the uri of length (13-20) is actually associated
> with POST request.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131114/158c1b16/attachment.html>


More information about the Snort-sigs mailing list