<div dir="ltr">Yaser,<div><br></div><div>Thanks for your submission. I'll review and test this and get back to you when its finished. </div><div><br></div><div>Since you have a pcap, can you send it my way?</div><div><br></div><div>Tyler Montier</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 27, 2017 at 12:54 PM, Y M <span dir="ltr"><<a href="mailto:snort@...3751..." target="_blank">snort@...3751...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_1503530828424291914divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>After trying multiple combinations, the below set of rules were the most efficient among all the combinations I had when profiled. Pcap is available.</p>
<p><span style="font-size:12pt"><br>
</span></p>
<p><span style="font-size:12pt">The rules are divided into two sets. The first is a catch-all regardless of the URL. The second set is tailored according to each URL. In either sets, the rules should catch
<span style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols;font-size:16px">
(I think) </span>both GET and POST requests; the resulting pcap did not contain any POST requests.</span></p>
<p><span style="font-size:12pt"><br>
</span></p>
<p><span style="font-size:12pt">First Set:</span></p>
<p><span style="font-size:12pt"><br>
</span></p>
<p><span style="font-size:12pt"><span style="font-size:9pt;font-family:Consolas,monospace"><span>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Xagent outbound connection"; flow:to_server,established; content:"/?";
 fast_pattern:only; http_uri; content:" (unknown version) "; http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|"; http_header; pcre:"/\/(search|find|results|<wbr>open|search|close|watch)\/\<wbr>x3f[a-zA-Z]{2,8}\x3d/U";
 content:!"Referer"; http_header; content:!"Cookie"; http_header; metadata:ruleset community, service http; reference:url,<a href="http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html" target="_blank">http://<wbr>contagiodump.blogspot.com/<wbr>2017/02/russian-apt-apt28-<wbr>collection-of-samples.html</a>; reference:url,<a href="http://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" target="_blank">download.<wbr>bitdefender.com/resources/<wbr>files/News/CaseStudies/study/<wbr>143/Bitdefender-Whitepaper-<wbr>APT-Mac-A4-en-EN-web.pdf</a>;
 classtype:trojan-activity; sid:1000860; rev:1;)</span></span><br>
</span></p>
<p><span style="font-size:12pt"><span><br>
</span></span></p>
<p><span style="font-size:12pt"><span>Or, the second Set:</span></span></p>
<p><span style="font-size:12pt"><span><br>
</span></span></p>
<p><span style="font-size:12pt"><span></span></span></p>
<div><span style="font-size:9pt;font-family:Consolas,monospace">
<div><span style="font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Xagent outbound connection"; flow:to_server,established; content:"/search/?"; fast_pattern:only; http_uri; content:" (unknown
 version) "; http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|"; http_header; pcre:"/\/search\/\x3f[a-zA-Z]{<wbr>2,8}\x3d/U"; content:!"Referer"; http_header; content:!"Cookie";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html" target="_blank">http://<wbr>contagiodump.blogspot.com/<wbr>2017/02/russian-apt-apt28-<wbr>collection-of-samples.html</a>; reference:url,<a href="http://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" target="_blank">download.<wbr>bitdefender.com/resources/<wbr>files/News/CaseStudies/study/<wbr>143/Bitdefender-Whitepaper-<wbr>APT-Mac-A4-en-EN-web.pdf</a>;
 classtype:trojan-activity; sid:1000861; rev:1;)</span></div>
<div><span style="font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Xagent outbound connection"; flow:to_server,established; content:"/watch/?"; fast_pattern:only; http_uri; content:" (unknown
 version) "; http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|"; http_header; pcre:"/\/watch\/\x3f[a-zA-Z]{<wbr>2,8}\x3d/U"; content:!"Referer"; http_header; content:!"Cookie";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html" target="_blank">http://<wbr>contagiodump.blogspot.com/<wbr>2017/02/russian-apt-apt28-<wbr>collection-of-samples.html</a>; reference:url,<a href="http://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" target="_blank">download.<wbr>bitdefender.com/resources/<wbr>files/News/CaseStudies/study/<wbr>143/Bitdefender-Whitepaper-<wbr>APT-Mac-A4-en-EN-web.pdf</a>;
 classtype:trojan-activity; sid:1000862; rev:1;)</span></div>
<div><span style="font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Xagent outbound connection"; flow:to_server,established; content:"/open/?"; fast_pattern:only; http_uri; content:" (unknown
 version) "; http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|"; http_header; pcre:"/\/open\/\x3f[a-zA-Z]{2,<wbr>8}\x3d/U"; content:!"Referer"; http_header; content:!"Cookie";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html" target="_blank">http://<wbr>contagiodump.blogspot.com/<wbr>2017/02/russian-apt-apt28-<wbr>collection-of-samples.html</a>; reference:url,<a href="http://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" target="_blank">download.<wbr>bitdefender.com/resources/<wbr>files/News/CaseStudies/study/<wbr>143/Bitdefender-Whitepaper-<wbr>APT-Mac-A4-en-EN-web.pdf</a>;
 classtype:trojan-activity; sid:1000863; rev:1;)</span></div>
<div><span style="font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Xagent outbound connection"; flow:to_server,established; content:"/find/?"; fast_pattern:only; http_uri; content:" (unknown
 version) "; http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|"; http_header; pcre:"/\/find\/\x3f[a-zA-Z]{2,<wbr>8}\x3d/U"; content:!"Referer"; http_header; content:!"Cookie";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html" target="_blank">http://<wbr>contagiodump.blogspot.com/<wbr>2017/02/russian-apt-apt28-<wbr>collection-of-samples.html</a>; reference:url,<a href="http://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" target="_blank">download.<wbr>bitdefender.com/resources/<wbr>files/News/CaseStudies/study/<wbr>143/Bitdefender-Whitepaper-<wbr>APT-Mac-A4-en-EN-web.pdf</a>;
 classtype:trojan-activity; sid:1000864; rev:1;)</span></div>
<div><span style="font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Xagent outbound connection"; flow:to_server,established; content:"/results/?"; fast_pattern:only; http_uri; content:" (unknown
 version) "; http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|"; http_header; pcre:"/\/results\/\x3f[a-zA-Z]<wbr>{2,8}\x3d/U"; content:!"Referer"; http_header; content:!"Cookie";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html" target="_blank">http://<wbr>contagiodump.blogspot.com/<wbr>2017/02/russian-apt-apt28-<wbr>collection-of-samples.html</a>; reference:url,<a href="http://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" target="_blank">download.<wbr>bitdefender.com/resources/<wbr>files/News/CaseStudies/study/<wbr>143/Bitdefender-Whitepaper-<wbr>APT-Mac-A4-en-EN-web.pdf</a>;
 classtype:trojan-activity; sid:1000865; rev:1;)</span></div>
<div><span style="font-family:Consolas,monospace"><br>
</span></div>
<div><span style="font-family:Consolas,monospace">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Xagent outbound connection"; flow:to_server,established; content:"/close/?"; fast_pattern:only; http_uri; content:" (unknown
 version) "; http_header; content:" Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|keep-alive|0D 0A|"; http_header; pcre:"/\/close\/\x3f[a-zA-Z]{<wbr>2,8}\x3d/U"; content:!"Referer"; http_header; content:!"Cookie";
 http_header; metadata:ruleset community, service http; reference:url,<a href="http://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf" target="_blank">download.<wbr>bitdefender.com/resources/<wbr>files/News/CaseStudies/study/<wbr>143/Bitdefender-Whitepaper-<wbr>APT-Mac-A4-en-EN-web.pdf</a>; classtype:trojan-activity; sid:1000866; rev:1;)</span></div>
</span></div>
<div><span style="font-size:9pt;font-family:Consolas,monospace"></span></div>
<br>

<p></p>
<p>Thank you.</p><span class="HOEnZb"><font color="#888888">
<p>YM</p>
</font></span></div>
</div>

<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@...1744...<wbr>net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" rel="noreferrer" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br></blockquote></div><br></div>