[Snort-sigs] Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path"

lists at ...3397... lists at ...3397...
Wed Sep 11 10:17:07 EDT 2013


I'll let you convert this into VRT format, this was originally shared at
https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-September/022768.html
and I'm turning it over to VRT COMMUNITY as well, thanks!

I'm seeing some pretty big win here, thoughts?  I've regression tested this
from 8/01+ with no false positives and only true win.  Credits to V.L. on the
sig with only some minor changes from me.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Blackhole hex and wordlist initial landing and exploit path";
flow:established,to_server; urilen:>70,norm; content:".php"; http_uri;
fast_pattern:only;
pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U";
classtype:trojan-activity; sid:x; rev:1;)

Some regression testing:

select distinct date_time,http_status,url from webwasher_full where
day>='2013-08-01' and url rlike
'http:\\/\\/[^\\x2f]+\\/[a-f0-9]{5,}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\.php';

[03/Aug/2013:10:28:59 -0600]    200
hxxp://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php

[03/Aug/2013:10:29:00 -0600]    404
hxxp://englishrussia.com/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php?rbEDuLUoFqICzm=QopeL&XZqnudoETeUCNOZ=qWBINMtQWv

[12/Aug/2013:07:21:08 -0600]    502
hxxp://cwszsk.qwe1.nameswilcherilyntypes.com/8fea3c/joy_discs/letter-sometimes.php

[19/Aug/2013:09:54:33 -0600]    200
hxxp://bnaafv.t1.domainswellngtons.com/065952/factors-survives_altering/merely-calling_regulations-book.php

[19/Aug/2013:09:54:36 -0600]    404
hxxp://www.ifcsutah.com/065952/factors-survives_altering/merely-calling_regulations-book.php?PvxbnFCXy=ksdQav&LgZxC=ZgPitLAMjjO

[19/Aug/2013:16:04:13 -0600]    502
hxxp://sbwbwz.www3.localsearcherstuners.net/104aa6/mechanism-ultimately/advertises-discover-operations.php

[20/Aug/2013:12:00:43 -0600]    502
hxxp://vnbxmr.ll2.domaindcomsdoctoriss.com/49bcde/repeats_stayed_fields/wanting-introducing.php

[26/Aug/2013:13:39:25 -0600]    200
hxxp://tsnvht.asd2.domainswealthynodes.com/96f500/governor-via-strength-wondering/whose-somewhere-nevertheless.php

[26/Aug/2013:14:11:05 -0600]    200
hxxp://xdsbhi.zxc1.domainswealthynodes.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php

[26/Aug/2013:14:11:06 -0600]    404
hxxp://www.trainingap.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php?TtESMCoBkbMAGl=iWUpOduLQTx&tvtbkQDqLDxm=MOiVhdpSSzXjm

[28/Aug/2013:11:13:31 -0600]    200
hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/company-lorries/released_arises.php

[28/Aug/2013:11:13:34 -0600]    404
hxxp://www.lincolncountyco.us/5ca711/company-lorries/released_arises.php?HpMUFQISFd=PqYLvOpvsEO&hDmbxLVL=veGgPauJiKqpP

[28/Aug/2013:11:14:18 -0600]    404
hxxp://www.lincolncountyco.us/5ca711/constant-putting/allowed_greater_removes.php?BfCRSa=PMlCcqB&rfvRRZlpbQlYIq=yYslQpJrgrktX

[28/Aug/2013:11:14:18 -0600]    200
hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/constant-putting/allowed_greater_removes.php

[29/Aug/2013:13:29:09 -0600]    200
hxxp://nmztle.www2.domainsegghipesunic.net/bcb655/remembered-cumming/derives-sun-restores_limited.php

[29/Aug/2013:13:29:13 -0600]    404
hxxp://www.lincolncountyco.us/bcb655/remembered-cumming/derives-sun-restores_limited.php?YfjJvzOWjghc=DOfqfbhq&HaEMS=BfYzdzC

[03/Sep/2013:15:31:23 -0600]    200
hxxp://kxwubnxvbxkn.qwe3.wyearsale.net/21b37/jobs-acted/opinions-obtains-flied-belongs.php

[03/Sep/2013:15:31:25 -0600]    404
hxxp://domainseercher.pw/21b37/jobs-acted/opinions-obtains-flied-belongs.php?byVHMcyU=ctZxaastsBksZ&xFZSrsWAeoQp=pnImtrixlywjKp

PCRE Testing:

PCRE version 8.12 2011-01-15

  re>
/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/
data>
http://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
 0: /af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
data> ^C

Cheers,
Nathan Fowler




More information about the Snort-sigs mailing list