APT28 Snort Signatures

[Tony Robinson <deusexmachina667 () gmail com>]

Howdy Howdy. I'm sure many of you are aware of the recent news with APT28.
If not, have a look:
http://www.fireeye.com/resources/pdfs/apt28.pdf
https://github.com/fireeye/iocs/tree/master/APT28

I have developed and tested signatures based off the PDF report and the
IOCs provided by Fire Eye. Here is what I have:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
CORESHELL POST request"; flow:to_server,established; content:"POST";
nocase; http_method; content:"/check/"; http_uri; content:"User-Agent|3A|
MSIE 8.0"; http_header; fast_pattern:only; reference:url,
www.fireeye.com/resources/pdfs/apt28.pdf metadata:security-ips drop,
service http; sid:1000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
CHOPSTICK v1 POST request"; flow:to_server,established; content:"POST";
nocase; http_method; content:"/webhp?rel="; nocase; http_uri;
content:"hl="; nocase; http_uri; distance:0; content:"ai="; nocase;
http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT
6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0";
fast_pattern:only; http_header; reference:url,
www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, service http; sid:1000001;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
CHOPSTICK v2 POST request"; flow:to_server,established; content:"POST";
nocase; http_method; content:"/search?btnG="; nocase; http_uri;
content:"utm="; nocase; http_uri; distance:0; content:"ai="; nocase;
http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT
6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0";
fast_pattern:only; http_header; reference:url,
www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, service http; sid:1000002;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
OLDBAIT POST request"; flow:to_server,established; content:"POST"; nocase;
http_method; content:"/index.php"; fast_pattern:only; http_uri;
content:"prefs="; nocase; http_client_body; reference:url,
www.fireeye.com/resources/pdfs/apt28.pdf metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, service http; sid:1000003;
rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
kavkazcentr.info"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0B|kavkazcentr|04|info"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service dns;
reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000004; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS rnil.am";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service dns; reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000005; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
standartnevvs.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0D|standartnevvs|03|com"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service dns;
reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000006; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
novinitie.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|09|novinitie|03|com"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service dns;
reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000007; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS n0vinite.com";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service dns; reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000008; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS qov.hu.com";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service dns; reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000009; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS mail.g0v.pl";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service dns; reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000010; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
baltichost.org"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0A|baltichost|03|org"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service dns;
reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000011; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS nato.nshq.in";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service dns; reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000012; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
natoexhibitionff14.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|12|natoexhibitionff14|03|com"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service dns; reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000013; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
login-osce.org"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0A|login-osce|03|org"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service dns;
reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000014; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
smigroup-online.co.uk"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0F|smigroup-online|02|co|02|uk"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service dns; reference:url,
github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000015; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS q0v.pl";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, service dns; reference:
urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc;
sid:1000016; rev:1;)

Questions? Concerns? Improvements? Feel free to contact me on-list (for
everyone's benefits) or modify as you see fit. Also included as an
attachment for your convenience.

-- 
when does reality end? when does fantasy begin?

Attachment: apt28.rules
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!