[Snort-sigs] DNS Reverse Shell sig

James Lay jlay at ...3266...
Wed Feb 4 16:09:21 EST 2015


 

On 2015-02-04 02:06 PM, Dave Killion wrote: 

> The initial letter
before the dash is part of the "label" (that 0x3A is measuring) so yes -
the fact you're counting 58 bytes total (between the character class,
the dash, and your pcre string) means you'll match on 0x3A all the time.

> In fact, you could probably remove the last pcre check entirely,
since doing that 0x3A check will perform the byte-count for you... 
>
-Dave
> 
> On Wed Feb 04 2015 at 1:02:37 PM James Lay
<jlay at ...3266... [9]> wrote:
> 
>> On 2015-02-04 01:29 PM,
rmkml wrote:
>> > Thx James for sharing,
>> >
>> > Length is always the
same, add 0x3A (dns length) like this ?
>> > Add "-" for better
performance ?
>> > modify pcre to use relative?
>> >
>> alert udp
$HOME_NET any -> any 53 (msg:"Possible Python Reverse DNS
>> Shell";
content:"|01 00 00 01 00 00 00 00 00 00 3A|"; depth:11;
>> offset:2;
fast_pattern; content:"-"; within:1; distance:1;
>>
pcre:"/^[a-z0-9]{56}/Ri";
>>
reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html
[1];
>> classtype:bad-unknown; sid:10000150; rev:2;)
>> >
>> > Best
Regards
>> > @Rmkml
>> >
>> >
>> > On Wed, 4 Feb 2015, James Lay
wrote:
>> >
>> >> In my testing of
>> >>
http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html [2]
I
>> >> noticed that during the reverse shell session a semi-constant
showed
>> >> up...namely a character followed by a dash, followed by 56
other
>> >> characters. Pretty sure this could be changed in the python
code, but
>> >> this will catch this in it's current form. It will not
fire on each
>> >> and every dns query, but will most likely fire at
least during the
>> >> session.
>> >>
>> >> alert udp $HOME_NET any ->
any 53 (msg:"Possible Python Reverse DNS
>> >> Shell"; content:"|01 00
00 01 00 00 00 00 00 00|"; depth:10; offset:2;
>> >> fast_pattern;
pcre:"/[a-z]-[a-z0-9]{56}/i";
>> >>
reference:url,lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html
[3];
>> >> classtype:bad-unknown; sid:10000150; rev:1;)
>> >>
>> >>
This WILL most likely FP if you're looking for a domain that matches
>>
>> the above style, but I couldn't find any such domain in my logs.
>>
>> Enjoy.
>> >>
>> >> James
>> 
>> That's a good idea..would that still
catch the initial "[a-zA-Z]-" at
>> the start though? Or just the
"-[a-z0-9]{56}"...thanks RM!
>> 
>> James
>> 
>>
------------------------------------------------------------------------------
>>
Dive into the World of Parallel Programming. The Go Parallel
Website,
>> sponsored by Intel and developed in partnership with
Slashdot Media, is your
>> hub for all things parallel software
development, from weekly thought
>> leadership blogs to news, videos,
case studies, tutorials and more. Take a
>> look and join the
conversation now. http://goparallel.sourceforge.net/ [4]
>>
_______________________________________________
>> Snort-sigs mailing
list
>> Snort-sigs at lists.sourceforge.net [5]
>>
https://lists.sourceforge.net/lists/listinfo/snort-sigs [6]
>>
http://www.snort.org [7]
>> 
>> Please visit http://blog.snort.org [8]
for the latest news about Snort!

Awesome....thanks for the education on
this! 

James 

Links:
------
[1]
http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html
[2]
http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html
[3]
http://lockboxx.blogspot.com/2015/01/python-reverse-dns-shell.html
[4]
http://goparallel.sourceforge.net/
[5]
mailto:Snort-sigs at lists.sourceforge.net
[6]
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[7]
http://www.snort.org
[8] http://blog.snort.org
[9]
mailto:jlay at ...3266...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150204/261f9a84/attachment.html>


More information about the Snort-sigs mailing list