[Snort-sigs] Assist with FrameworkPOS sig

James Lay jlay at ...3266...
Wed Oct 15 16:40:58 EDT 2014


On 2014-10-15 14:04, rmkml wrote:
> Please add s on pcre option please.
> Regards
> @Rmkml
>
>
> On Wed, 15 Oct 2014, rmkml wrote:
>
>> Thx James for sharing,
>>
>> Could you check this revision please ? (not tested)
>>
>>  alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS 
>> beacon";
>>  flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon;
>>  fast_pattern:only;
>> 
>> pcre:"/\x08[a-f0-9]{8}\x06beacon[\x18-\x60][a-f0-9]{24,96}[\x18-\x60][a-f0-9]{24,96}[\x03-\x60]\w{3,96}[\x02-\x06]\w{2,6}\x00/";
>> metadata:impact_flag red, policy balanced-ips drop,
>>  policy security-ips drop, service dns; reference: 
>> url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/;
>>  classtype:trojan-activity; sid:10000137; rev:2;)
>>
>> c5008015
>> ->  \x08[a-f0-9]{8}
>>
>> .beacon
>> ->  \x06beacon
>>
>> .c3cbc0dcc3c4cadcc4cbdcc4cb
>> ->  [\x18-\x60][a-f0-9]{24,96}
>>
>> .a2b3a7bedfb3b0b1c3c0c1c6
>> ->  [\x18-\x60][a-f0-9]{24,96}
>>
>> .domain
>> ->  [\x03-\x60]\w{3,96}
>>
>> .com
>> [\x02-\x06]\w{2,6}\x00
>>
>> Comments is welcome ;)
>>
>> Regards
>> @Rmkml
>>
>>
>>
>> On Wed, 15 Oct 2014, James Lay wrote:
>>
>>>  Hey all,
>>>
>>>  I'm attempting to get something going for the below:
>>>
>>>  
>>> https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html
>>>
>>>  In a nutshell I'm trying to create a couple sigs to match:
>>>
>>>      Id.beacon.encoded_data1.encoded_data2.domain.com
>>>
>>>  This request is the heartbeat. The ID is a random ID generated 
>>> during
>>>  the first execution of the malware. Encoded_data1 is the IP 
>>> address of
>>>  the infected machine and encoded_data2 is the host name of the 
>>> machine.
>>>
>>>      Id.alert.encoded_data3.domain.com
>>>
>>>  The ID is the same random ID as used in the example above and
>>>  encoded_data3 is a process name. The attackers receive the process 
>>> name
>>>  each time a credit card number is found in the memory.
>>>
>>>
>>>  An example DNS request:
>>>
>>>  
>>> c5008015.beacon.c3cbc0dcc3c4cadcc4cbdcc4cb.a2b3a7bedfb3b0b1c3c0c1c6.domain.com
>>>
>>>  alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS
>>>  beacon"; flow:to_server; byte_test:1,!&,0xF8,2; 
>>> content:"|06|beacon|1A|;
>>>  fast_pattern:only; metadata:impact_flag red, policy balanced-ips 
>>> drop,
>>>  policy security-ips drop, service dns;
>>> reference: 
>>> url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/;
>>>  classtype:trojan-activity; sid:10000137; rev:1;)
>>>
>>>  What I don't have intel on is if the values before and after 
>>> beacon and
>>>  alert change length.  Is pcre a good fit for this?  Or something 
>>> else?
>>>  Thanks for looking all.
>>>
>>>  James
>>
>>

Looks like @Rmkml has this one working well.  Hope it's useful 
somewhere.  Thanks all.

James

alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS 
beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon"; 
fast_pattern:only; 
pcre:"/\x08[a-f0-9]{8}\x06beacon[\x18-\x60][a-f0-9]{24,96}[\x18-\x60][a-f0-9]{24,96}[\x03-\x60]\w{3,96}[\x02-\x06]\w{2,6}\x00/s"; 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
drop, service dns; reference: 
url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/; 
classtype:trojan-activity; sid:10000137; rev:2;)




More information about the Snort-sigs mailing list