[Snort-sigs] Multiple signatures 006

Marcos Rodriguez mrodriguez at sourcefire.com
Fri Jul 27 08:34:42 EDT 2018


On Wed, Jul 25, 2018 at 9:39 AM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
> Pcaps are available for some of the signatures below.
>
> # --------------------
> # Date: 2018-07-24
> # Title: User-Agents of IoT Scanners
> # Reference: Research
> # Tests: pcap
> # Confidence: medium
> # Notes: These are UAs seen in inbound IoT scanners. Howerver, we don't
> care for inbound traffic
> #        since there are rules to detect the exploits, and they are noisy.
> Rather, we use the
> #        UAs for outbound traffic from the "protected" IoT network, just
> in case.
>
> alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT
> scanner User-Agent outbound connection detected - Gemini";
> flow:to_server,established; content:"User-Agent: Gemini/";
> fast_pattern:only; http_header; metadata:ruleset community, service http;
> classtype:attempted-admin; sid:8000202; rev:1;)
>
> alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT
> scanner User-Agent outbound connection detected - Hakai";
> flow:to_server,established; content:"User-Agent: Hakai/";
> fast_pattern:only; http_header; metadata:ruleset community, service http;
> classtype:attempted-admin; sid:8000203; rev:1;)
>
> alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT
> scanner User-Agent outbound connection detected - Hello, World";
> flow:to_server,established; content:"User-Agent: Hello, World";
> fast_pattern:only; http_header; metadata:ruleset community, service http;
> classtype:attempted-admin; sid:8000204; rev:1;)
>
> # --------------------
> # Date: 2018-07-24
> # Title: Osx.Backdoor.Calisto
> # Tests: syntax only
> # Reference:
> #    - https://securelist.com/calisto-trojan-for-macos/86543/
> # Confidence: low
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Backdoor.Calisto outbound connection"; flow:to_server,established;
> content:"/upload.php?username="; fast_pattern:only; http_uri;
> content:"/calisto/"; http_uri; metadata:ruleset community, service http;
> reference:url,securelist.com/calisto-trojan-for-macos/86543/;
> classtype:trojan-activity; sid:8000205; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Backdoor.Calisto outbound connection"; flow:to_server,established;
> content:"/listenyee.php"; fast_pattern:only; http_uri; content:"/calisto/";
> http_uri; metadata:ruleset community, service http; reference:url,
> securelist.com/calisto-trojan-for-macos/86543/;
> classtype:trojan-activity; sid:8000206; rev:1;)
>
> # --------------------
> # Date: 2018-07-25
> # Title: AgentTesla SMTP Exfil.
> # Reference:
> #     - https://www.virustotal.com/#/file/030228c5caa62e7727e0a664ef18fd
> f5663e7edbc2d2f7e5c38bf06526a5023e/detection
> #     - https://www.virustotal.com/#/file/0c5f9ab0d84eada4be9e6f86cf81a2
> b3dd0fbb708342eded078a152490ceb15e/detection
> #     - https://www.virustotal.com/#/file/b9253b60188214a143b2b7d2b0a3b1
> adb1d0834b6fc231b9da7b61c9c3184e92/detection
> # Tests: pcap
> # Confidence: medium
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC
> Win.Trojan.AgentTesla outbound SMTP connection";
> flow:to_server,established; content:"|0D 0A|Subject: admin/PC Passwords
> Recovered From: "; fast_pattern:only; metadata: ruleset community, service
> smtp; classtype:trojan-activity; sid:8000207; rev:1;)
>
> # --------------------
> # Date: 2018-07-25
> # Title: Win.Trojan.Betabot
> # Reference:
> #     - https://www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba
> 05d754326c693941c46267506652ba0686/detection
> # Tests: pcap
>
> # Confidence: low
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Betabot variant outbound connection";
> flow:to_server,established; content:"/do/logout.php?id=";
> fast_pattern:only; http_uri; content:"Content-Type: application/x-www-form-urlencoded";
> http_header; content:!"Connection"; http_header; content:!"Referer";
> http_header; metadata:ruleset community, service http; reference:url,
> www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba
> 05d754326c693941c46267506652ba0686/detection; classtype:trojan-activity;
> sid:8000208; rev:1;)
> # --------------------
> # Date: 2018-07-25
> # Title: Encoded binary downloads with suspicious HTTP Responses
> # Reference: Research
> # Tests: pcap
> # Confidence: low
> # Notes: Observed in Win.Worm.Urahu/Skillies traffic.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
> decimal encoded binary download attempt - Win.Worm.Urahu/Skillies";
> flow:to_client,established; content:"Content-type:
> application/octet-stream|0D 0A|Content-Disposition: attachment|0D
> 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"77
> 90"; metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000209; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
> base64 encoded binary download attempt - Win.Worm.Urahu/Skillies";
> flow:to_client,established; content:"Content-type:
> application/octet-stream|0D 0A|Content-Disposition: attachment|0D
> 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"TVqQ";
> metadata:ruleset community, service http; classtype:trojan-activity;
> sid:8000210; rev:1;)
>
> # --------------------
> # Date: 2018-07-25
> # Title: Remote administration tools
> # Reference: Research
> # Tests: pcap
> # Confidence: medium
> # Notes: This is policy only since the tools may be legitimate but
> #        also outside the scope of the allowed tools per policy. Detection
> #        on the network maybe considered an indicator.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote
> Administration Tool detected - RemoteUtilities";
> flow:to_server,established; content:"<rman_message version=";
> fast_pattern:only; content:"<code>1</code>"; metadata:ruleset community;
> classtype:policy-violation; sid:8000211; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote
> Administration Tool detected - RemoteUtilities";
> flow:to_client,established; content:"<rman_message version=";
> fast_pattern:only; content:"<code>3</code>"; content:"</rman_message>";
> distance:0; metadata:ruleset community; classtype:policy-violation;
> sid:8000212; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote
> Administration Tool detected - Imminent"; flow:to_server,established;
> dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only;
> metadata:ruleset community; classtype:policy-violation; sid:8000213; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote
> Administration Tool detected - Imminent"; flow:to_client,established;
> dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only;
> content:"$"; distance:2; metadata:ruleset community;
> classtype:policy-violation; sid:8000214; rev:1;)
>
> Thanks.
> YM
>


Hi Yaser,

We really appreciate these submissions. We will review each of them and get
back to you when finished.  We'd appreciate any pcaps you could send.  Have
a great day!

-- 
Marcos Rodriguez
Cisco Talos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180727/0196870c/attachment-0001.html>


More information about the Snort-sigs mailing list