[Snort-users] Payload not fitting rule content detection on snort + snorby

waldo kitty wkitty42 at ...14940...
Tue Sep 8 09:30:20 EDT 2015

On 09/07/2015 03:45 AM, Txalin wrote:
> # cat snort.rules | grep "MALWARE-TOOLS Win.Trojan.Dridex dropper message"
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS
> Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data;
> content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer";
> fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
> security-ips drop, service smtp;
> reference:url,www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/
> <http://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/>;
> classtype:trojan-activity; sid:34945; rev:1;)

while i cannot help with your problem, i do want to point out that the content 
stream that rule is using is an extremely poor choice to be using for detection 
of dridex or any other malware... that string is the default value for the 
X-Mailer field in that popular free open source PASCAL code library... i use the 
very same library here in my own projects... the library, itself, has nothing to 
do with malware of any type... the coder(s) of the malware in question simply 
have not placed a proper name for the mailer in their project... that or they 
are rotating valid strings like is seen with user agent strings...

[sarcasm] i'm sure that lucas gebauer will be overjoyed to see his name abused 
like that... [/sarcasm]

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list