[Snort-sigs] flowbits check needed?

Joel Esler (jesler) jesler at ...3865...
Sun Feb 16 14:11:07 EST 2014


Thanks Yaser!  We'll take a look at this. 

--
Joel Esler
Sent from my iPhone

> On Feb 15, 2014, at 17:16, "Y M" <snort at ...3751...> wrote:
> 
> Good points Rmkml. Unfortunately I do not have a pcap, just the wireshark screenshot from the reference. My initial thought was not to tag on the value of the query string "p" as it may change, but now I see the confusion with the pcre (always gets me), hence, the reason I did not include urilen. I added the (i) to ignore the case in the pcre.
>  
> Here is a revised sig (will do another revision!):
>  
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:12)
>  
> Thanks Rmkml.
> YM
>  
> 
>  
> > Date: Sat, 15 Feb 2014 22:37:44 +0100
> > From: rmkml at ...174...
> > To: snort at ...3751...
> > CC: snort-sigs at lists.sourceforge.net; rmkml at ...174...
> > Subject: Re: [Snort-sigs] flowbits check needed?
> > 
> > Thx you YM for sharing,
> > 
> > Well not easy to understand if you need (java) flowbits or not,
> > 
> > I think not because Java User-Agent are on same than URI.
> > 
> > warn: pcre miss '/' after first escape '\'.
> > 
> > Could you have pcap please ?
> > 
> > Maybe add urilen:17.
> > 
> > Remove {1} on pcre because \d is not more repeat.
> > 
> > warn2: http_uri are not nocase, but pcre yes (i): why ?
> > 
> > 
> > Another similar sig already exist:
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
> > CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; 
> > content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; 
> > fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2;)
> > 
> > 
> > Regards
> > @Rmkml
> > 
> > 
> > On Sat, 15 Feb 2014, Y M wrote:
> > 
> > > I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts?
> > >  
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header;
> > > fast_pattern:only; pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;
> > > reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:1;)
> > >  
> > > YM
> > > 
> > >
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140216/49578b86/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140216/49578b86/attachment.bin>


More information about the Snort-sigs mailing list