Snort mailing list archives
Re: Vbs rat threat rules
From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 28 Jan 2014 23:42:40 +0000
Hi, That won't work in that port 1000 can't use HTTP keywords unless you add it to your local $HTTP_PORTS variable in snort.conf. So your choice is either: 1) add port 1000 to the $HTTP_PORTS variable and change to this (I have corrected the other rule options for your reference, mostly external_host, no flow etc. Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"alert vbs rat"; flow:established,to_server; content:"some.website.net"; http_header; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*some\.website\.net/H"; classtype:trojan-activity; sid:123991; rev:1;) 2) Don't have it in your HTTP_PORTS and go like the rule below (although personally I would have it being a destination port of any instead of 1000 which increases detection because I assume being a RAT they can change the server listening port: Alert tcp $HOME_NET any -> $EXTERNAL_NET 1000 (msg:"alert vbs rat"; flow:established,to_server; content:"some.website.net"; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*some\.website\.net/sm"; classtype:trojan-activity; sid:123992; rev:1;) Hope that helps you out on the idea behind this. Personally though if I was you specific blacklist type things are not ideal for snort rules so I would look at the structure of the command and control rather than where it is going. If you are looking for sites I would recommend alongside snort running passiveDNS https://github.com/gamelinux/passivedns which will record your name/ip resolutions and then if you ever wonder if you have been compromised you can query that and get a time for first and last querying which can help out a lot - especially as databases of DNS traffic can be retained for a long time. I would also recommend you use BRO which very nicely complements Snort in that you can log all that extra information like files, HTTP traffic, FTP, IRC, SMTP etc. What you can then do is send it over to ELSA http://code.google.com/p/enterprise-log-search-and-archive/. This is a video of it https://www.youtube.com/watch?v=INRJZ3_Dsyc. You can also extract files and do lots of other things with it (which you can do in the latest Snort too). Still I think BRO & Snort work well and with ELSA it allows you to query data quickly and form interesting queries to find anomalous things. Kind Regards, Kevin Ross On 28 January 2014 17:07, Feroz Basir <feroz.basir () gmail com> wrote:
Hi, Thanks for replying. My packet go through a proxy and snort is between 2 proxies. I've just learned that this proxy might change or encapsulate the packet. I'm trying to monitor vbs rat threat that making connection from the inside to outside world via various port numbers and hostname. I have the rule but it didn't work. So I thought vrt could have a special rule for this. Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat" content:"Host|3A|"; nocase; http_header; content:"some.website.net"; nocase; http_header; fast_pattern:only; priority:1; Sid:1000002; rev:1;) Thanks. Regards, Feroz Basir On 28 Jan 2014, at 10:40, "Joel Esler (jesler)" <jesler () cisco com> wrote: Perhaps the reason is, "vbs rat" isn't a specific attack, it's a generic term. We have lots of detection for Remote Access Tools, which* one* is really the question. On Jan 27, 2014, at 7:49 PM, Feroz Basir <feroz.basir () gmail com> wrote: Hi again, Anybody knows? Please help. Thanks. Regards, Feroz Fazidi Bin Basir On 25 Jan 2014, at 19:34, Feroz Basir <feroz.basir () gmail com> wrote: Hi all, Anybody knows which rule that vrt uses for detecting VBS RAT threat? Im sniffing proxy packet which I think change the packet. Thanks. Regards, Feroz Basir ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Vbs rat threat rules Feroz Basir (Jan 23)
- <Possible follow-ups>
- Vbs rat threat rules Feroz Basir (Jan 25)
- Re: Vbs rat threat rules Feroz Basir (Jan 27)
- Re: Vbs rat threat rules Joel Esler (jesler) (Jan 27)
- Re: Vbs rat threat rules Feroz Basir (Jan 28)
- Re: [Snort-users] Vbs rat threat rules waldo kitty (Jan 28)
- Re: Vbs rat threat rules Kevin Ross (Jan 28)
- Re: Vbs rat threat rules Feroz Basir (Jan 27)