Snort mailing list archives
Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 6 May 2013 17:18:22 -0400
On May 6, 2013, at 5:04 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 5/6/2013 13:37, Joel Esler wrote:On May 3, 2013, at 8:54 PM, lists () packetmail net <mailto:lists () packetmail net> wrote:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from compromised or malicious WordPress site"; flow:established,from_server; content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware <http://blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware>; sid:x; rev:1;)Nathan, Looking at what you are intending here, I think you mean it the other way (HOME_NET -> $EXTERNAL_NET)ok... now i'm officially confused... the flow in the rule is "from_server"... with that specified, does it really matter if HOME_NET or EXTERNAL_NET come first? then there's the situation of not only detecting this coming into a network from an external server, but also of detecting this going out of a network that runs servers feeding the public on the outside... does the '->' really make any difference? should it instead have been '<-' if the rule writer really wanted HOME_NET to be first?
There is no such thing as "<-". The way that Nathan wrote the rule above says we are looking for a URI to be returned from a server external to our network to a client that initiated the connection. This wouldn't work. Which is why I said we need to reverse it to look for HOME_NET -> $EXTERNAL_NET and "to_server" in the flow. That way we are alerting on someone making an outbound request for a file with the exe extension in the /wp-content/ directory on the server.
would using '<->' or '<>' (if either is allowed) detect the traffic no matter which way the traffic was going (internal server to external client or external server to internal client) no matter where the server is located??
<> is allowed, but isn't very descriptive from an alert point of view. Plus, coupled with flow "to_server" you'd want to make sure that your msg was reflective of what you were trying to do in the rule. http://blog.snort.org/2011/09/flow-matters.html -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Late in the day...bet this could be sig'd James Lay (May 03)
- Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) lists () packetmail net (May 03)
- Re: Proposed Sirefef (was Re: Late in the day...bet thiscould be sig'd) Lay, James (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) waldo kitty (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) Joel Esler (May 06)
- Re: Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) waldo kitty (May 06)
- Proposed Sirefef (was Re: Late in the day...bet this could be sig'd) lists () packetmail net (May 03)