Re: Assist with FrameworkPOS sig

[rmkml <rmkml () yahoo fr>]

Please add s on pcre option please.
Regards
@Rmkml


On Wed, 15 Oct 2014, rmkml wrote:

> Thx James for sharing,
>
> Could you check this revision please ? (not tested)
>
>  alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS beacon";
>  flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon;
>  fast_pattern:only;
> pcre:"/\x08[a-f0-9]{8}\x06beacon[\x18-\x60][a-f0-9]{24,96}[\x18-\x60][a-f0-9]{24,96}[\x03-\x60]\w{3,96}[\x02-\x06]\w{2,6}\x00/";
> metadata:impact_flag red, policy balanced-ips drop,
>  policy security-ips drop, service dns; 
> reference: url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/;
>  classtype:trojan-activity; sid:10000137; rev:2;)
>
> c5008015
> ->  \x08[a-f0-9]{8}
>
> .beacon
> ->  \x06beacon
>
> .c3cbc0dcc3c4cadcc4cbdcc4cb
> ->  [\x18-\x60][a-f0-9]{24,96}
>
> .a2b3a7bedfb3b0b1c3c0c1c6
> ->  [\x18-\x60][a-f0-9]{24,96}
>
> .domain
> ->  [\x03-\x60]\w{3,96}
>
> .com
> [\x02-\x06]\w{2,6}\x00
>
> Comments is welcome ;)
>
> Regards
> @Rmkml
>
>
>
> On Wed, 15 Oct 2014, James Lay wrote:
>
> >  Hey all,
> >
> >  I'm attempting to get something going for the below:
> >
> >  https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html
> >
> >  In a nutshell I'm trying to create a couple sigs to match:
> >
> >      Id.beacon.encoded_data1.encoded_data2.domain.com
> >
> >  This request is the heartbeat. The ID is a random ID generated during
> >  the first execution of the malware. Encoded_data1 is the IP address of
> >  the infected machine and encoded_data2 is the host name of the machine.
> >
> >      Id.alert.encoded_data3.domain.com
> >
> >  The ID is the same random ID as used in the example above and
> >  encoded_data3 is a process name. The attackers receive the process name
> >  each time a credit card number is found in the memory.
> >
> >
> >  An example DNS request:
> >
> >  c5008015.beacon.c3cbc0dcc3c4cadcc4cbdcc4cb.a2b3a7bedfb3b0b1c3c0c1c6.domain.com
> >
> >  alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS
> >  beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon|1A|;
> >  fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
> >  policy security-ips drop, service dns;
> > reference: url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/;
> >  classtype:trojan-activity; sid:10000137; rev:1;)
> >
> >  What I don't have intel on is if the values before and after beacon and
> >  alert change length.  Is pcre a good fit for this?  Or something else?
> >  Thanks for looking all.
> >
> >  James

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!