[Snort-users] Payload not fitting rule content detection on snort + snorby
wkitty42 at ...14940...
Tue Sep 8 09:30:20 EDT 2015
On 09/07/2015 03:45 AM, Txalin wrote:
> # cat snort.rules | grep "MALWARE-TOOLS Win.Trojan.Dridex dropper message"
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS
> Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data;
> content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer";
> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
> security-ips drop, service smtp;
> classtype:trojan-activity; sid:34945; rev:1;)
while i cannot help with your problem, i do want to point out that the content
stream that rule is using is an extremely poor choice to be using for detection
of dridex or any other malware... that string is the default value for the
X-Mailer field in that popular free open source PASCAL code library... i use the
very same library here in my own projects... the library, itself, has nothing to
do with malware of any type... the coder(s) of the malware in question simply
have not placed a proper name for the mailer in their project... that or they
are rotating valid strings like is seen with user agent strings...
[sarcasm] i'm sure that lucas gebauer will be overjoyed to see his name abused
like that... [/sarcasm]
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-users