Re: Expiro sigs

[Geoffrey Serrao <gserrao () sourcefire com>]

It looks like these post requests are missing a x5f character in the uri,
which sticks out to me as odd.

Maybe you could add that check . Something like:

content: !"/"; http_uri;

After the second content match. This would add an additional check to avoid
engaging the pcre unless absolutely necessary.
Just throwing that out there as a potential option if you find that this
rule is performance heavy the way it is.


On Thu, Nov 14, 2013 at 10:12 AM, Y M <snort () outlook com> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Expiro HID post attempt"; flow:to_server,established;
> urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A
> 20|Mozilla"; http_header;
> pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi";
> fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset
> community, service http; reference:url,
> kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
> classtype:trojan-activity; sid:100109; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Win.Trojan.Expiro HID post attempt"; flow:to_server,established;
> urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A
> 20|Mozilla"; http_header;
> pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi";
> fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset
> community, service http; reference:url,
> kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
> classtype:trojan-activity; sid:100111; rev:1;)
>
> Any help with the pcre is highly appreciated. Also from the reference, its
> not 100% clear to me if the uri of length (13-20) is actually associated
> with POST request.
>
> Thanks.
> YM
>
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Geoffrey J. Serrao
SOURCEfire Technical Support
My office hours are 10:00 AM to 7:00 PM Eastern time, Monday - Friday. If
you need assistance outside of these hours, please contact
support () sourcefire com and another engineer will respond.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!