Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 28 Jan 2015 21:06:18 +0000
Thanks Gerry. -- Joel Esler Sent from my iPhone On Jan 28, 2015, at 2:04 PM, Dalton, Gerry <Gerry.Dalton () parsons com<mailto:Gerry.Dalton () parsons com>> wrote: Funny you mentioned this.....our SourceFire alerts were going crazy with this one. We have a Application Jukebox which goes out to a license server that is triggering this alert. I will post PCAPS to SourceFire customer site. Gerry Dalton Cyber Security Specialist ♦ Cybersecurity Infrastructure 1301 W. Pres. George Bush Hwy, Suite 350 ♦ Richardson, TX 75080-1140 Phone – 972.244.6153 ♦ Mobile – 972.207.6124 gerry.dalton () parsons com<mailto:gerry.dalton () parsons com> ♦ www.parsons.com<http://www.parsons.com> -----Original Message----- From: Joel Esler [mailto:jesler () cisco com] Sent: Wednesday, January 28, 2015 12:44 PM To: Benjamin Small Cc: Rodgers, Anthony (DTMB); snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2015-01-27 On Wed, Jan 28, 2015 at 10:32:43AM -0800, Benjamin Small wrote: I get that PCAPs are useful, but this sig has been stripped down to just a UA. It's not like the UA is a distinct string, it's a substring of one of the most popular UAs you'll see. If this were crafted as a low priority "suspicious" rule would be *almost* ok, but as a drop rule? I would hope that your signature review process would have caught something like this. -Ben Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/<http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>; classtype:trojan-activity; sid:31557; rev:3; ) We aren't looking for a "subset" of a string though, we are looking for a distinct string, we are looking for a string where the entire User-Agent is "Mozilla/5.0" which is not a legitimate browser User-Agent. It may be used by legit applications in an incorrect way, but it's not a legitimate browser User-Agent. We're currently evaluating the rule. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2015-01-27 Research (Jan 27)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Rodgers, Anthony (DTMB) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Dalton, Gerry (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Rodgers, Anthony (DTMB) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Alex McDonnell (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jamie Riden (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Mike Hale (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 lists () packetmail net (Jan 28)