[Snort-sigs] Multiple signatures 006

Y M snort at outlook.com
Wed Jul 25 09:39:38 EDT 2018


Hi,

Pcaps are available for some of the signatures below.

# --------------------
# Date: 2018-07-24
# Title: User-Agents of IoT Scanners
# Reference: Research
# Tests: pcap
# Confidence: medium
# Notes: These are UAs seen in inbound IoT scanners. Howerver, we don't care for inbound traffic
#        since there are rules to detect the exploits, and they are noisy. Rather, we use the
#        UAs for outbound traffic from the "protected" IoT network, just in case.

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected - Gemini"; flow:to_server,established; content:"User-Agent: Gemini/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000202; rev:1;)

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected - Hakai"; flow:to_server,established; content:"User-Agent: Hakai/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000203; rev:1;)

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected - Hello, World"; flow:to_server,established; content:"User-Agent: Hello, World"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000204; rev:1;)

# --------------------
# Date: 2018-07-24
# Title: Osx.Backdoor.Calisto
# Tests: syntax only
# Reference:
#    - https://securelist.com/calisto-trojan-for-macos/86543/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Backdoor.Calisto outbound connection"; flow:to_server,established; content:"/upload.php?username="; fast_pattern:only; http_uri; content:"/calisto/"; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/calisto-trojan-for-macos/86543/; classtype:trojan-activity; sid:8000205; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Backdoor.Calisto outbound connection"; flow:to_server,established; content:"/listenyee.php"; fast_pattern:only; http_uri; content:"/calisto/"; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/calisto-trojan-for-macos/86543/; classtype:trojan-activity; sid:8000206; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: AgentTesla SMTP Exfil.
# Reference:
#     - https://www.virustotal.com/#/file/030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e/detection
#     - https://www.virustotal.com/#/file/0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e/detection
#     - https://www.virustotal.com/#/file/b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92/detection
# Tests: pcap
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: admin/PC Passwords Recovered From: "; fast_pattern:only; metadata: ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: Win.Trojan.Betabot
# Reference:
#     - https://www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba05d754326c693941c46267506652ba0686/detection
# Tests: pcap

# Confidence: low
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betabot variant outbound connection"; flow:to_server,established; content:"/do/logout.php?id="; fast_pattern:only; http_uri; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba05d754326c693941c46267506652ba0686/detection; classtype:trojan-activity; sid:8000208; rev:1;)
# --------------------
# Date: 2018-07-25
# Title: Encoded binary downloads with suspicious HTTP Responses
# Reference: Research
# Tests: pcap
# Confidence: low
# Notes: Observed in Win.Worm.Urahu/Skillies traffic.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE decimal encoded binary download attempt - Win.Worm.Urahu/Skillies"; flow:to_client,established; content:"Content-type: application/octet-stream|0D 0A|Content-Disposition: attachment|0D 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"77 90"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000209; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE base64 encoded binary download attempt - Win.Worm.Urahu/Skillies"; flow:to_client,established; content:"Content-type: application/octet-stream|0D 0A|Content-Disposition: attachment|0D 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"TVqQ"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000210; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: Remote administration tools
# Reference: Research
# Tests: pcap
# Confidence: medium
# Notes: This is policy only since the tools may be legitimate but
#        also outside the scope of the allowed tools per policy. Detection
#        on the network maybe considered an indicator.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_server,established; content:"<rman_message version="; fast_pattern:only; content:"<code>1</code>"; metadata:ruleset community; classtype:policy-violation; sid:8000211; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_client,established; content:"<rman_message version="; fast_pattern:only; content:"<code>3</code>"; content:"</rman_message>"; distance:0; metadata:ruleset community; classtype:policy-violation; sid:8000212; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:8000213; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000214; rev:1;)

Thanks.
YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180725/1ad4179d/attachment-0001.html>


More information about the Snort-sigs mailing list