<div style="word-wrap:break-word">James,<div><br></div><div>This is actually our sig, not emerging threats. †I'll take a look at what you are saying below, I am sure there are plenty of samples I can pull from.</div><div>
<br></div><div>J</div><div><br><div><div>On Dec 9, 2011, at 4:42 PM, Lay, James wrote:</div><br><blockquote type="cite"><span style="border-collapse:separate;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium;font-family:'Lucida Grande'"><div lang="EN-US" link="blue" vlink="purple">
<div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Rule:<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST URI request for known malicious URI - /stat.htm"; flow:to_server,established; content:"/stat.htm?id="; nocase; http_uri; content:"&r="; within:3; distance:7; nocase; http_uri; content:"&repeatip="; distance:0; nocase; http_uri; content:"&rtime="; distance:0; nocase; http_uri; content:"&cnzz_eid="; distance:0; nocase; http_uri; reference:url,<a href="http://labs.snort.org/iplists/urllist-2011-04-07" style="color:blue;text-decoration:underline" target="_blank">labs.snort.org/iplists/urllist-2011-04-07</a>; classtype:trojan-activity; sid:18773; rev:2;)<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'"><u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
SoÖ.Iíve been looking at this rule today and noticed a few things.† First off, Iíve noticed that almost all the hits Iíve seen seem to be called from a stat.php link now.† Here's an example flow:<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Origin site (compromised?) code snippet:<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<div align="center" style="display:none"><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<script src="<a style="color:blue;text-decoration:underline">hxxp://s11.bleh.com/stat.php?id=2208120&web_id=2208120</a>" language="JavaScript"></script><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
</div><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'"><u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
>From the GETting stat.php:<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">HTTP/1.1 200 OK<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
Expires: Fri, 09 Dec 2011 21:19:33 GMT<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Date: Fri, 09 Dec 2011 19:49:33 GMT<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Server: Apache/2.2.19 (Unix)<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
Last-Modified: Fri, 09 Dec 2011 19:49:33 GMT<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Content-Length: 2394<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Content-Type: text/html<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
Age: 1409<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">X-Via: 1.1 dg46:8105 (Cdn Cache Server V2.0)<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Connection: keep-alive<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">function gv_cnzz(of){<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<snip><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">document.write('<img src="<a style="color:blue;text-decoration:underline">hxxp://hzs11.bleh.com/stat.htm?id=2208120'+cnzz_data+'</a>" border=0 width=0 height=0 />');<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'"><snip><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
document.cookie="cnzz_eid="+escape(cnzz_eid)+ ";expires="+cnzz_ed.toGMTString()+";path=/";<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'"><u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">and from GETing long stat.htm link:<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
HTTP/1.1 200 OK<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Server: nginx/1.0.4<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
Date: Fri, 09 Dec 2011 20:13:03 GMT<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Content-Type: image/gif<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">Transfer-Encoding: chunked<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
Connection: close<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'"><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
2b<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">GIF89a.............!.......,...........D..;<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
0<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'"><u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
Would it be beneficial to have a rule that includes the stat.php as well?† Or do we care ;)† Thanks all.<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">
<u></u>†<u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:9pt;font-family:'Lucida Console'">James<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">
<u></u>†<u></u></div></div>_______________________________________________<br>Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@...3539....." style="color:blue;text-decoration:underline" target="_blank">Emerging-sigs@...3335...</a><br>
<a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" style="color:blue;text-decoration:underline" target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>Support Emerging Threats! Subscribe to Emerging Threats Pro<span>†</span><a href="http://www.emergingthreatspro.com" style="color:blue;text-decoration:underline" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!</div></span></blockquote></div><br></div></div>