[Snort-sigs] flowbits check needed?

Y M snort at ...3751...
Sat Feb 15 17:12:43 EST 2014


Good points Rmkml. Unfortunately I do not have a pcap, just the wireshark screenshot from the reference. My initial thought was not to tag on the value of the query string "p" as it may change, but now I see the confusion with the pcre (always gets me), hence, the reason I did not include urilen. I added the (i) to ignore the case in the pcre.
 
Here is a revised sig (will do another revision!):
 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:12)
 
Thanks Rmkml.
YM
 

 
> Date: Sat, 15 Feb 2014 22:37:44 +0100
> From: rmkml at ...174...
> To: snort at ...3751...
> CC: snort-sigs at lists.sourceforge.net; rmkml at ...174...
> Subject: Re: [Snort-sigs] flowbits check needed?
> 
> Thx you YM for sharing,
> 
> Well not easy to understand if you need (java) flowbits or not,
> 
> I think not because Java User-Agent are on same than URI.
> 
> warn: pcre miss '/' after first escape '\'.
> 
> Could you have pcap please ?
> 
> Maybe add urilen:17.
> 
> Remove {1} on pcre because \d is not more repeat.
> 
> warn2: http_uri are not nocase, but pcre yes (i): why ?
> 
> 
> Another similar sig already exist:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
> CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; 
> content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; 
> fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2;)
> 
> 
> Regards
> @Rmkml
> 
> 
> On Sat, 15 Feb 2014, Y M wrote:
> 
> > I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts?
> >  
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header;
> > fast_pattern:only; pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;
> > reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:1;)
> >  
> > YM
> > 
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140215/dda15c76/attachment.html>


More information about the Snort-sigs mailing list