[Snort-sigs] Improvement to rule 1:26528

Tony Robinson deusexmachina667 at ...2420...
Wed May 28 09:19:41 EDT 2014


Hello,

I'd like to propose an improvement to rule 1:26528
INDICATOR-OBFUSCATION eval of base64-encoded data.

In spite of the many ways it can trigger false positives, it's proven
to be valuable for finding compromised websites all over the place.
I'd like to propose a slight improvement that may help the accuracy a
little more. Here is the rule in its original form:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION eval of base64-encoded data";
flow:to_client,established; file_data;
content:"eval|28|base64.decode|28|"; fast_pattern:only;
metadata:service ftp-data, service http, service imap, service pop3;
classtype:trojan-activity; sid:26568; rev:3; )

Here is the rule with the slight modifications I would like considered:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION eval of base64-encoded data";
flow:to_client,established; file_data;
content:"eval|28|base64.decode|28|"; fast_pattern:only;
content:!"|22|J01PQklMRSc|3D 22 29 29 3B|"; distance: 0; within: 17;
metadata:service ftp-data, service http, service imap, service pop3;
classtype:trojan-activity; sid:26568; rev:3; )

Specifically, I recommend adding the following after the first content match:

content:!"|22|J01PQklMRSc|3D 22 29 29 3B|"; distance: 0; within: 17;

This tells snort to NOT look for the content -- "J01PQklMRSc="));
immediately after the content match.

I've been seeing alerts for this particular content match on a lot of
mobile websites:

Parameters.SiteType = eval(Base64.decode("J01PQklMRSc="));

This base 64 encoding decodes to the text 'MOBILE'. This content isn't
particularly malicious, in fact, aside from being absolutely
pointless, it's not insidious in the least and I'm seeing it more and
more on mobile sites.

Let me know what you think.

Cheers,

da_667




-- 
when does reality end? when does fantasy begin?




More information about the Snort-sigs mailing list