Snort mailing list archives
Re: [Emerging-Sigs] Rule 18773
From: Joel Esler <jesler () sourcefire com>
Date: Sat, 10 Dec 2011 08:31:28 -0500
James, This is actually our sig, not emerging threats. I'll take a look at what you are saying below, I am sure there are plenty of samples I can pull from. J On Dec 9, 2011, at 4:42 PM, Lay, James wrote: Rule:**** ** ** alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST URI request for known malicious URI - /stat.htm"; flow:to_server,established; content:"/stat.htm?id="; nocase; http_uri; content:"&r="; within:3; distance:7; nocase; http_uri; content:"&repeatip="; distance:0; nocase; http_uri; content:"&rtime="; distance:0; nocase; http_uri; content:"&cnzz_eid="; distance:0; nocase; http_uri; reference:url, labs.snort.org/iplists/urllist-2011-04-07; classtype:trojan-activity; sid:18773; rev:2;)**** ** ** So….I’ve been looking at this rule today and noticed a few things. First off, I’ve noticed that almost all the hits I’ve seen seem to be called from a stat.php link now. Here's an example flow:**** ** ** Origin site (compromised?) code snippet:**** <div align="center" style="display:none">**** <script src="hxxp://s11.bleh.com/stat.php?id=2208120&web_id=2208120" language="JavaScript"></script>**** </div>**** ** **
From the GETting stat.php:****
HTTP/1.1 200 OK**** Expires: Fri, 09 Dec 2011 21:19:33 GMT**** Date: Fri, 09 Dec 2011 19:49:33 GMT**** Server: Apache/2.2.19 (Unix)**** Last-Modified: Fri, 09 Dec 2011 19:49:33 GMT**** Content-Length: 2394**** Content-Type: text/html**** Age: 1409**** X-Via: 1.1 dg46:8105 (Cdn Cache Server V2.0)**** Connection: keep-alive**** **** function gv_cnzz(of){**** <snip>**** document.write('<img src=" hxxp://hzs11.bleh.com/stat.htm?id=2208120'+cnzz_data+'" border=0 width=0 height=0 />');**** <snip>**** document.cookie="cnzz_eid="+escape(cnzz_eid)+ ";expires="+cnzz_ed.toGMTString()+";path=/";**** ** ** ** ** ** ** and from GETing long stat.htm link:**** HTTP/1.1 200 OK**** Server: nginx/1.0.4**** Date: Fri, 09 Dec 2011 20:13:03 GMT**** Content-Type: image/gif**** Transfer-Encoding: chunked**** Connection: close**** **** 2b**** GIF89a.............!.......,...........D..;**** 0**** **** Would it be beneficial to have a rule that includes the stat.php as well? Or do we care ;) Thanks all.**** ** ** James**** ** ** _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
------------------------------------------------------------------------------ Learn Windows Azure Live! Tuesday, Dec 13, 2011 Microsoft is holding a special Learn Windows Azure training event for developers. It will provide a great way to learn Windows Azure and what it provides. You can attend the event by watching it streamed LIVE online. Learn more at http://p.sf.net/sfu/ms-windowsazure
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] Rule 18773 Joel Esler (Dec 10)
- Re: [Emerging-Sigs] Rule 18773 Lay, James (Dec 12)