Snort mailing list archives
Re: UTF-8 BOM
From: rmkml <rmkml () yahoo fr>
Date: Tue, 9 Apr 2013 21:06:05 +0200 (CEST)
Hi, Thx for sharing, -maybe change B4 to 4B ? -for http sig, maybe add H on pcre ? Best Regards Rmkml On Mon, 8 Apr 2013, Joel Esler wrote:
On Apr 8, 2013, at 4:22 PM, James Lay <jlay () slave-tothe-box net> wrote: On 2013-04-08 14:10, Joel Esler wrote: How about something like this James? (Three rules) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data; content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; classtype:trojan-activity;) alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data; content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service imap, service pop3; reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; classtype:trojan-activity;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; content:".zip"; fast_pattern:only; http_header; content:"filename="; nocase; http_header; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data; content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; classtype:trojan-activity;) Dammit Joel...you're always look so much better than mine :P As always, thanks a bunch :) :D Alright, I have these in the test system, let's see how they do. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- UTF-8 BOM James Lay (Apr 08)
- Re: UTF-8 BOM Joel Esler (Apr 08)
- Re: UTF-8 BOM James Lay (Apr 08)
- Re: UTF-8 BOM Joel Esler (Apr 08)
- Re: UTF-8 BOM rmkml (Apr 09)
- Re: UTF-8 BOM Joel Esler (Apr 09)
- Re: UTF-8 BOM James Lay (Apr 08)
- Re: UTF-8 BOM Joel Esler (Apr 08)