Re: Vbs rat threat rules

[Kevin Ross <kevross33 () googlemail com>]

Hi,

That won't work in that port 1000 can't use HTTP keywords unless you add it
to your local $HTTP_PORTS variable in snort.conf. So your choice is either:

1) add port 1000 to the $HTTP_PORTS variable and change to this (I have
corrected the other rule options for your reference, mostly external_host,
no flow etc.
Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"alert vbs rat";
flow:established,to_server; content:"some.website.net"; http_header;
fast_pattern:only; pcre:"/Host\x3A[^\r\n]*some\.website\.net/H";
classtype:trojan-activity; sid:123991; rev:1;)

2) Don't have it in your HTTP_PORTS and go like the rule below (although
personally I would have it being a destination port of any instead of 1000
which increases detection because I assume being a RAT they can change the
server listening port:
Alert tcp $HOME_NET any -> $EXTERNAL_NET 1000 (msg:"alert vbs rat";
flow:established,to_server; content:"some.website.net"; fast_pattern:only;
pcre:"/Host\x3A[^\r\n]*some\.website\.net/sm"; classtype:trojan-activity;
sid:123992; rev:1;)

Hope that helps you out on the idea behind this. Personally though if I was
you specific blacklist type things are not ideal for snort rules so I would
look at the structure of the command and control rather than where it is
going. If you are looking for sites I would recommend alongside snort
running passiveDNS https://github.com/gamelinux/passivedns which will
record your name/ip resolutions and then if you ever wonder if you have
been compromised you can query that and get a time for first and last
querying which can help out a lot - especially as databases of DNS traffic
can be retained for a long time.

I would also recommend you use BRO which very nicely complements Snort in
that you can log all that extra information like files, HTTP traffic, FTP,
IRC, SMTP etc. What you can then do is send it over to ELSA
http://code.google.com/p/enterprise-log-search-and-archive/. This is a
video of it https://www.youtube.com/watch?v=INRJZ3_Dsyc. You can also
extract files and do lots of other things with it (which you can do in the
latest Snort too). Still I think BRO & Snort work well and with ELSA it
allows you to query data quickly and form interesting queries to find
anomalous things.

Kind Regards,
Kevin Ross



On 28 January 2014 17:07, Feroz Basir <feroz.basir () gmail com> wrote:

> Hi,
>
> Thanks for replying. My packet go through a proxy and snort is between 2
> proxies. I've just learned that this proxy might change or encapsulate the
> packet. I'm trying to monitor vbs rat threat that making connection from
> the inside to outside world via various port numbers and hostname. I have
> the rule but it didn't work. So I thought vrt could have a special rule for
> this.
>
> Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat"
> content:"Host|3A|"; nocase; http_header; content:"some.website.net";
> nocase; http_header; fast_pattern:only; priority:1; Sid:1000002; rev:1;)
>
> Thanks.
>
>
> Regards,
> Feroz Basir
>
> On 28 Jan 2014, at 10:40, "Joel Esler (jesler)" <jesler () cisco com> wrote:
>
> Perhaps the reason is, "vbs rat" isn't a specific attack, it's a generic
> term.  We have lots of detection for Remote Access Tools, which* one* is
> really the question.
>
>
>  On Jan 27, 2014, at 7:49 PM, Feroz Basir <feroz.basir () gmail com> wrote:
>
>  Hi again,
>
> Anybody knows? Please help. Thanks.
>
>
> Regards,
> Feroz Fazidi Bin Basir
>
> On 25 Jan 2014, at 19:34, Feroz Basir <feroz.basir () gmail com> wrote:
>
> Hi all,
>
> Anybody knows which rule that vrt uses for detecting VBS RAT threat? Im
> sniffing proxy packet which I think change the packet.
>
> Thanks.
>
>
> Regards,
> Feroz Basir
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
>
> ------------------------------------------------------------------------------
> WatchGuard Dimension instantly turns raw network data into actionable
> security intelligence. It gives you real-time visual feedback on key
> security issues and trends.  Skip the complicated setup - simply import
> a virtual appliance and go from zero to informed in seconds.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!