Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 11:43:32 -0400
Nathan, Thanks for your submission. I took the pcap you sent me and ran it through our ruleset and received the following alerts: 1:21492:5 SPECIFIC-THREATS Blackhole landing page with specific structure - catch Alerts: 1 1:1478:12 WEB-CGI swc access Alerts: 1 1:6390:7 SPYWARE-PUT Adware esyndicate runtime detection - ads popup Alerts: 1 1:21548:1 BOTNET-CNC Cutwail landing page connection attempt Alerts: 1 A few others alerted as well, but I removed them as they were set to "noalert" (I remove "flowbits:noalert;" from my testing suite so I can see everything.) So an additional rule may not add value. However, looking at your pcap gave me an idea to modify 21492. Trying that now. J On Tue, Mar 13, 2012 at 11:01 AM, Community Proposed <lists () packetmail net>wrote:
I'm having issues getting this to fire, and I've tried a few permutations, perhaps I'm simply overlooking something stupid. I believe you'll get the gist of the signature and I would appreciate feedback/changes: I had also tried, without file_data, content:"|0d 0a 0d 0a|document.location="; fast_pattern; alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"; flow:to_client,established; file_data; content:"document.location="; depth:18; fast_pattern; content:"/showthread.php?t="; distance:0; pcre:"/document.location=[^\r\n\x3b]+\/showthread.php\?t=[a-f0-9]{16}[^\r\n]\x3b/"; classtype:trojan-activity; sid:436520770; rev:1;) $ pcretest PCRE version 8.02 2010-03-19 re> /^document.location=[^\r\n\x3b]+\/showthread.php\?t=[a-f0-9]{16}[^\r\n]\x3b/ data> document.location=' http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff'; 0: document.location=' http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff'; data> document.location=" http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff"; 0: document.location=" http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff"; data> document.location="http://localhost"; alert("Hello from showthread.php?t=d7ad916d1c0396ff"); No match data> ^C 09:16:26.964654 IP 187.45.193.142.80 > a.b.c.d.2968: P 1:386(385) ack 376 win 6432 0x0000: 4500 01a9 6eb9 4000 2c06 da8e bb2d c18e E...n.@.,....-.. 0x0010: 0ad9 7c72 0050 0b98 1333 57ff d926 a6f6 ..|r.P...3W..&.. 0x0020: 5018 1920 0d8c 0000 4854 5450 2f31 2e31 P.......HTTP/1.1 0x0030: 2032 3030 204f 4b0d 0a53 6572 7665 723a .200.OK..Server: 0x0040: 2041 7061 6368 650d 0a4c 6173 742d 4d6f .Apache..Last-Mo 0x0050: 6469 6669 6564 3a20 5475 652c 2031 3320 dified:.Tue,.13. 0x0060: 4d61 7220 3230 3132 2031 333a 3135 3a32 Mar.2012.13:15:2 0x0070: 3620 474d 540d 0a43 6f6e 7465 6e74 2d54 6.GMT..Content-T 0x0080: 7970 653a 2061 7070 6c69 6361 7469 6f6e ype:.application 0x0090: 2f78 2d6a 6176 6173 6372 6970 740d 0a43 /x-javascript..C 0x00a0: 6163 6865 2d43 6f6e 7472 6f6c 3a20 4e6f ache-Control:.No 0x00b0: 2d43 6163 6865 0d0a 5072 6167 6d61 3a20 -Cache..Pragma:. 0x00c0: 6e6f 2d63 6163 6865 0d0a 436f 6e74 656e no-cache..Conten 0x00d0: 742d 4c65 6e67 7468 3a20 3739 0d0a 4461 t-Length:.79..Da 0x00e0: 7465 3a20 5475 652c 2031 3320 4d61 7220 te:.Tue,.13.Mar. 0x00f0: 3230 3132 2031 343a 3136 3a32 3620 474d 2012.14:16:26.GM 0x0100: 540d 0a58 2d56 6172 6e69 7368 3a20 3137 T..X-Varnish:.17 0x0110: 3738 3333 3739 3431 2031 3737 3833 3334 78337941.1778334 0x0120: 3534 360d 0a41 6765 3a20 3332 0d0a 5669 546..Age:.32..Vi 0x0130: 613a 2031 2e31 2076 6172 6e69 7368 0d0a a:.1.1.varnish.. 0x0140: 436f 6e6e 6563 7469 6f6e 3a20 6b65 6570 Connection:.keep 0x0150: 2d61 6c69 7665 0d0a 0d0a 646f 6375 6d65 -alive....docume 0x0160: 6e74 2e6c 6f63 6174 696f 6e3d 2768 7474 nt.location='htt 0x0170: 703a 2f2f 7072 6f78 6977 6173 682e 6672 p://proxiwash.fr 0x0180: 3a38 3038 302f 7368 6f77 7468 7265 6164 :8080/showthread 0x0190: 2e70 6870 3f74 3d64 3761 6439 3136 6431 .php?t=d7ad916d1 0x01a0: 6330 3339 3666 6627 3b c0396ff'; Thanks, Nathan
-- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Proposed (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)