[Snort-sigs] Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path"

Joel Esler jesler at ...435...
Wed Sep 11 12:16:48 EDT 2013


Nathan,

Thanks.  Oddly enough I am testing a rule like that right now in our test systems.  Our concern is false positive rate because of the generic structure.  If we test okay on it, I’ll move that rule to the community ruleset one committed.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



On Sep 11, 2013, at 10:17 AM, lists at ...3397... wrote:

> I'll let you convert this into VRT format, this was originally shared at
> https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-September/022768.html
> and I'm turning it over to VRT COMMUNITY as well, thanks!
> 
> I'm seeing some pretty big win here, thoughts?  I've regression tested this
> from 8/01+ with no false positives and only true win.  Credits to V.L. on the
> sig with only some minor changes from me.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Blackhole hex and wordlist initial landing and exploit path";
> flow:established,to_server; urilen:>70,norm; content:".php"; http_uri;
> fast_pattern:only;
> pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U";
> classtype:trojan-activity; sid:x; rev:1;)
> 
> Some regression testing:
> 
> select distinct date_time,http_status,url from webwasher_full where
> day>='2013-08-01' and url rlike
> 'http:\\/\\/[^\\x2f]+\\/[a-f0-9]{5,}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\.php';
> 
> [03/Aug/2013:10:28:59 -0600]    200
> hxxp://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
> 
> [03/Aug/2013:10:29:00 -0600]    404
> hxxp://englishrussia.com/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php?rbEDuLUoFqICzm=QopeL&XZqnudoETeUCNOZ=qWBINMtQWv
> 
> [12/Aug/2013:07:21:08 -0600]    502
> hxxp://cwszsk.qwe1.nameswilcherilyntypes.com/8fea3c/joy_discs/letter-sometimes.php
> 
> [19/Aug/2013:09:54:33 -0600]    200
> hxxp://bnaafv.t1.domainswellngtons.com/065952/factors-survives_altering/merely-calling_regulations-book.php
> 
> [19/Aug/2013:09:54:36 -0600]    404
> hxxp://www.ifcsutah.com/065952/factors-survives_altering/merely-calling_regulations-book.php?PvxbnFCXy=ksdQav&LgZxC=ZgPitLAMjjO
> 
> [19/Aug/2013:16:04:13 -0600]    502
> hxxp://sbwbwz.www3.localsearcherstuners.net/104aa6/mechanism-ultimately/advertises-discover-operations.php
> 
> [20/Aug/2013:12:00:43 -0600]    502
> hxxp://vnbxmr.ll2.domaindcomsdoctoriss.com/49bcde/repeats_stayed_fields/wanting-introducing.php
> 
> [26/Aug/2013:13:39:25 -0600]    200
> hxxp://tsnvht.asd2.domainswealthynodes.com/96f500/governor-via-strength-wondering/whose-somewhere-nevertheless.php
> 
> [26/Aug/2013:14:11:05 -0600]    200
> hxxp://xdsbhi.zxc1.domainswealthynodes.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php
> 
> [26/Aug/2013:14:11:06 -0600]    404
> hxxp://www.trainingap.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php?TtESMCoBkbMAGl=iWUpOduLQTx&tvtbkQDqLDxm=MOiVhdpSSzXjm
> 
> [28/Aug/2013:11:13:31 -0600]    200
> hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/company-lorries/released_arises.php
> 
> [28/Aug/2013:11:13:34 -0600]    404
> hxxp://www.lincolncountyco.us/5ca711/company-lorries/released_arises.php?HpMUFQISFd=PqYLvOpvsEO&hDmbxLVL=veGgPauJiKqpP
> 
> [28/Aug/2013:11:14:18 -0600]    404
> hxxp://www.lincolncountyco.us/5ca711/constant-putting/allowed_greater_removes.php?BfCRSa=PMlCcqB&rfvRRZlpbQlYIq=yYslQpJrgrktX
> 
> [28/Aug/2013:11:14:18 -0600]    200
> hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/constant-putting/allowed_greater_removes.php
> 
> [29/Aug/2013:13:29:09 -0600]    200
> hxxp://nmztle.www2.domainsegghipesunic.net/bcb655/remembered-cumming/derives-sun-restores_limited.php
> 
> [29/Aug/2013:13:29:13 -0600]    404
> hxxp://www.lincolncountyco.us/bcb655/remembered-cumming/derives-sun-restores_limited.php?YfjJvzOWjghc=DOfqfbhq&HaEMS=BfYzdzC
> 
> [03/Sep/2013:15:31:23 -0600]    200
> hxxp://kxwubnxvbxkn.qwe3.wyearsale.net/21b37/jobs-acted/opinions-obtains-flied-belongs.php
> 
> [03/Sep/2013:15:31:25 -0600]    404
> hxxp://domainseercher.pw/21b37/jobs-acted/opinions-obtains-flied-belongs.php?byVHMcyU=ctZxaastsBksZ&xFZSrsWAeoQp=pnImtrixlywjKp
> 
> PCRE Testing:
> 
> PCRE version 8.12 2011-01-15
> 
>  re>
> /\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/
> data>
> http://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
> 0: /af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
> data> ^C
> 
> Cheers,
> Nathan Fowler
> 
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130911/8ea3c0fe/attachment.html>


More information about the Snort-sigs mailing list