Re: Expiro sigs

[Y M <snort () outlook com>]

Correction. Thanks again for the second catch Geoffrey :)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; 
flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; 
content:!"/"; http_uri; 
pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi";
 fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service 
http; 
reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
 classtype:trojan-activity; sid:100109; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; 
flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; 
content:!"/"; http_uri; 
pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi";
 http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
 classtype:trojan-activity; sid:100111; rev:1;)
YM
From: snort () outlook com
To: gserrao () sourcefire com
Date: Thu, 14 Nov 2013 17:41:45 +0000
CC: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Expiro sigs




Nice catch Geoffrey. Thanks. I will do some testing on performance. 
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; 
flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; 
content:!"/"; http_uri; http_header; 
pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi";
 fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service 
http; 
reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
 classtype:trojan-activity; sid:100109; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; 
flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; 
content:!"/"; http_uri; http_header; 
pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi";
 http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
 classtype:trojan-activity; sid:100111; rev:1;)
Date: Thu, 14 Nov 2013 11:48:48 -0500
Subject: Re: [Snort-sigs] Expiro sigs
From: gserrao () sourcefire com
To: snort () outlook com
CC: snort-sigs () lists sourceforge net

It looks like these post requests are missing a x5f character in the uri, which sticks out to me as odd. 
Maybe you could add that check . Something like:

content: !"/"; http_uri;
After the second content match. This would add an additional check to avoid engaging the pcre unless absolutely 
necessary. 
Just throwing that out there as a potential option if you find that this rule is performance heavy the way it is. 


On Thu, Nov 14, 2013 at 10:12 AM, Y M <snort () outlook com> wrote:




alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; 
flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; 
http_header; 
pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}/Hmi";
 fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; 
reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
 classtype:trojan-activity; sid:100109; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Expiro HID post attempt"; 
flow:to_server,established; urilen:13<>20,norm; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla"; 
http_header; 
pcre:"/^User-Agent:[^\n]*?NT[0-9]{1}\.1\.[0-9]{4}\-[A-Z0-9]{8}\.[A-Z]{3}\.[A-Z0-9]{8}-[0-9]{6}-[A-Z]{6}-[0-9A-Z]{8}\;\s\.NET\sCLR\s[0-9]{8}\/[0-9]{8}/Hmi";
 fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; 
reference:url,kb.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23509/en_US/McAfee_Labs_Threat_Advisory_Expiro.pdf;
 classtype:trojan-activity; sid:100111; rev:1;)

Any help with the pcre is highly appreciated. Also from the reference, its not 100% clear to me if the uri of length 
(13-20) is actually associated with POST request.
Thanks.
YM                                        

------------------------------------------------------------------------------

DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps

OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access

Free app hosting. Or install the open source package on any LAMP server.

Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!

http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________


Snort-sigs mailing list

Snort-sigs () lists sourceforge net

https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org





Please visit http://blog.snort.org for the latest news about Snort!


-- 
Geoffrey J. Serrao
SOURCEfire Technical SupportMy office hours are 10:00 AM to 7:00 PM Eastern time, Monday - Friday. If you need 
assistance outside of these hours, please contact support () sourcefire com and another engineer will respond.

                                          

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!