[Snort-sigs] flowbits check needed?

Y M snort at ...3751...
Sun Feb 16 14:20:57 EST 2014


Thanks Joel.
 
YM 
From: jesler at ...3865...
To: snort at ...3751...
CC: rmkml at ...174...; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] flowbits check needed?
Date: Sun, 16 Feb 2014 19:11:07 +0000

Thanks Yaser!  We'll take a look at this. 

--Joel EslerSent from my iPhone
On Feb 15, 2014, at 17:16, "Y M" <snort at ...3751...> wrote:



Good points Rmkml. Unfortunately I do not have a pcap, just the wireshark screenshot from the reference. My initial thought was not to tag on the value of the query string "p" as it may change, but now I see the confusion with the pcre (always gets me), hence, the reason I did not include urilen. I added the (i) to ignore the case in the pcre.
 
Here is a revised sig (will do another revision!):
 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:12)
 
Thanks Rmkml.
YM
 

 
> Date: Sat, 15 Feb 2014 22:37:44 +0100
> From: rmkml at ...174...
> To: snort at ...3751...
> CC: snort-sigs at lists.sourceforge.net; rmkml at ...174...
> Subject: Re: [Snort-sigs] flowbits check needed?
> 
> Thx you YM for sharing,
> 
> Well not easy to understand if you need (java) flowbits or not,
> 
> I think not because Java User-Agent are on same than URI.
> 
> warn: pcre miss '/' after first escape '\'.
> 
> Could you have pcap please ?
> 
> Maybe add urilen:17.
> 
> Remove {1} on pcre because \d is not more repeat.
> 
> warn2: http_uri are not nocase, but pcre yes (i): why ?
> 
> 
> Another similar sig already exist:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
> CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; 
> content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; 
> fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2;)
> 
> 
> Regards
> @Rmkml
> 
> 
> On Sat, 15 Feb 2014, Y M wrote:
> 
> > I am trying to write this signature but not sure whether to add the flowbits check for the java user agent. Thoughts?
> >  
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; http_uri; content:" Java/1."; http_header;
> > fast_pattern:only; pcre:"/\download\.asp\?p\=\d{1}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http;
> > reference:url,http://www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid: 100160; rev:1;)
> >  
> > YM
> > 
> >
 		 	   		  
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140216/634ff260/attachment.html>


More information about the Snort-sigs mailing list