Snort mailing list archives
Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path"
From: "lists () packetmail net" <lists () packetmail net>
Date: Wed, 11 Sep 2013 09:17:07 -0500
I'll let you convert this into VRT format, this was originally shared at https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-September/022768.html and I'm turning it over to VRT COMMUNITY as well, thanks! I'm seeing some pretty big win here, thoughts? I've regression tested this from 8/01+ with no false positives and only true win. Credits to V.L. on the sig with only some minor changes from me. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70,norm; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:x; rev:1;) Some regression testing: select distinct date_time,http_status,url from webwasher_full where day>='2013-08-01' and url rlike 'http:\\/\\/[^\\x2f]+\\/[a-f0-9]{5,}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\.php'; [03/Aug/2013:10:28:59 -0600] 200 hxxp://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php [03/Aug/2013:10:29:00 -0600] 404 hxxp://englishrussia.com/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php?rbEDuLUoFqICzm=QopeL&XZqnudoETeUCNOZ=qWBINMtQWv [12/Aug/2013:07:21:08 -0600] 502 hxxp://cwszsk.qwe1.nameswilcherilyntypes.com/8fea3c/joy_discs/letter-sometimes.php [19/Aug/2013:09:54:33 -0600] 200 hxxp://bnaafv.t1.domainswellngtons.com/065952/factors-survives_altering/merely-calling_regulations-book.php [19/Aug/2013:09:54:36 -0600] 404 hxxp://www.ifcsutah.com/065952/factors-survives_altering/merely-calling_regulations-book.php?PvxbnFCXy=ksdQav&LgZxC=ZgPitLAMjjO [19/Aug/2013:16:04:13 -0600] 502 hxxp://sbwbwz.www3.localsearcherstuners.net/104aa6/mechanism-ultimately/advertises-discover-operations.php [20/Aug/2013:12:00:43 -0600] 502 hxxp://vnbxmr.ll2.domaindcomsdoctoriss.com/49bcde/repeats_stayed_fields/wanting-introducing.php [26/Aug/2013:13:39:25 -0600] 200 hxxp://tsnvht.asd2.domainswealthynodes.com/96f500/governor-via-strength-wondering/whose-somewhere-nevertheless.php [26/Aug/2013:14:11:05 -0600] 200 hxxp://xdsbhi.zxc1.domainswealthynodes.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php [26/Aug/2013:14:11:06 -0600] 404 hxxp://www.trainingap.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php?TtESMCoBkbMAGl=iWUpOduLQTx&tvtbkQDqLDxm=MOiVhdpSSzXjm [28/Aug/2013:11:13:31 -0600] 200 hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/company-lorries/released_arises.php [28/Aug/2013:11:13:34 -0600] 404 hxxp://www.lincolncountyco.us/5ca711/company-lorries/released_arises.php?HpMUFQISFd=PqYLvOpvsEO&hDmbxLVL=veGgPauJiKqpP [28/Aug/2013:11:14:18 -0600] 404 hxxp://www.lincolncountyco.us/5ca711/constant-putting/allowed_greater_removes.php?BfCRSa=PMlCcqB&rfvRRZlpbQlYIq=yYslQpJrgrktX [28/Aug/2013:11:14:18 -0600] 200 hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/constant-putting/allowed_greater_removes.php [29/Aug/2013:13:29:09 -0600] 200 hxxp://nmztle.www2.domainsegghipesunic.net/bcb655/remembered-cumming/derives-sun-restores_limited.php [29/Aug/2013:13:29:13 -0600] 404 hxxp://www.lincolncountyco.us/bcb655/remembered-cumming/derives-sun-restores_limited.php?YfjJvzOWjghc=DOfqfbhq&HaEMS=BfYzdzC [03/Sep/2013:15:31:23 -0600] 200 hxxp://kxwubnxvbxkn.qwe3.wyearsale.net/21b37/jobs-acted/opinions-obtains-flied-belongs.php [03/Sep/2013:15:31:25 -0600] 404 hxxp://domainseercher.pw/21b37/jobs-acted/opinions-obtains-flied-belongs.php?byVHMcyU=ctZxaastsBksZ&xFZSrsWAeoQp=pnImtrixlywjKp PCRE Testing: PCRE version 8.12 2011-01-15 re> /\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/ data> http://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php 0: /af1049/rarely-everywhere_pocket-implying/however-consist-checked.php data> ^C Cheers, Nathan Fowler ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path" lists () packetmail net (Sep 11)