Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in"
From: Community Signatures <lists () packetmail net>
Date: Mon, 12 Mar 2012 13:45:04 -0500
On 03/12/12 13:39, Joel Esler wrote:
Nathan -- I rewrote the rule as such: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/ <http://www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/>; classtype:trojan-activity; sid:21562; rev:1;) Do you see anything wrong there? I tested it against the pcap you sent us as well as an internally generated pcap against the family of malware. And it fires fine.
I think this is better way to have written this, thanks. The abnormal header ordering and UA is unique enough coupled with the HTTP POST payload we should not see false positives. It didn't occur to me to use 'depth:4; http_client_body;' as a way to avoid the unnecessary PCRE. Thanks Joel! Thanks, Nathan ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Community Proposed (Mar 12)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Community Proposed (Mar 12)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Joel Esler (Mar 12)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in" Community Signatures (Mar 12)