Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 28 Jan 2015 21:39:15 +0000
We've edited the rule and it will ship in the next rule release. -- Joel Esler Sent from my iPhone On Jan 28, 2015, at 1:35 PM, Jamie Riden <jamie.riden () gmail com<mailto:jamie.riden () gmail com>> wrote: Just as a data point, this is what my Amazon Cloud Player thing says - it shouldn't have matched the posted rule.And it goes over TLS1.2 if I don't force it to proxy. POST /dmls/getStreamingURLs HTTP/1.1 Host: www.amazon.co.uk<http://www.amazon.co.uk> Connection: keep-alive Content-Length: 654 Accept: application/json, text/javascript, */*; q=0.01 Content-Encoding: amz-1.0 Content-Type: application/json; charset=UTF-8 Origin: https://www.amazon.co.uk User-Agent: Mozilla/5.0 (Windows 7) AppleWebKit/537.4 (KHTML, like Gecko) Morpho/3.7.1.698 Safari/537.4 X-Amz-Target: com.amazon.digitalmusiclocator.DigitalMusicLocatorServiceExternal.getStreamingURLs <snip> On 28 January 2015 at 20:09, Jeff Stebelton <sysprobe9127 () gmail com<mailto:sysprobe9127 () gmail com>> wrote: Just an update, all Windows boxes we've seen trigger this were connecting to det-ta-g7g.amazon.com<http://det-ta-g7g.amazon.com> and have Amazon Cloud Player installed. There was also an unknown Mac; we assume it had Cloud Player installed as well. On Wed, Jan 28, 2015 at 1:41 PM, Alex McDonnell <amcdonnell () sourcefire com<mailto:amcdonnell () sourcefire com>> wrote: Hi Ben, This UA string is not one that "should" be found, errors like this will happen, User Agents are pretty much user defined, and despite checking against known UA strings on resources like useragentstring.com<http://useragentstring.com> and www.user-agents.org/<http://www.user-agents.org/> or running against our non trivial amount of pcaps FPs can crop up. A PCAP of the FP can help us identify why this shortened UA string was used and how to avoid it, both now and in future FP testing. Thanks Alex McDonnell TALOS On Wed, Jan 28, 2015 at 1:32 PM, Benjamin Small <benjamin.small83 () gmail com<mailto:benjamin.small83 () gmail com>> wrote: I get that PCAPs are useful, but this sig has been stripped down to just a UA. It's not like the UA is a distinct string, it's a substring of one of the most popular UAs you'll see. If this were crafted as a low priority "suspicious" rule would be *almost* ok, but as a drop rule? I would hope that your signature review process would have caught something like this. -Ben On Wed, Jan 28, 2015 at 6:33 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: Yeah. Pcaps would help. I think we can isolate the false positives, just want some examples to check against. -- Joel Esler Sent from my iPhone On Jan 28, 2015, at 9:29 AM, Jeff Stebelton <sysprobe9127 () gmail com<mailto:sysprobe9127 () gmail com>> wrote: Seeing some false positives here. Latest ones appear to be an Amazon app using the Mozilla/5.0 User Agent.. On Wed, Jan 28, 2015 at 9:03 AM, Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>> wrote: It looks like the 'content:"/2507US-1/"; ' match has been removed from 1:31557 in rev 3, which is causing a lot of apparent FPs on our network. Anyone else seeing this? Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/"; http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/<http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>; classtype:trojan-activity; sid:31557; rev:2; ) Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/<http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>; classtype:trojan-activity; sid:31557; rev:3; ) Anthony Rodgers Security Analyst Michigan Security Operations Center (MiSOC) -----Original Message----- From: Research [mailto:research () sourcefire com] Sent: Tuesday, January 27, 2015 12:42 To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2015-01-27 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: This release adds and modifies rules in several categories. Details: The VRT has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-multimedia, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies. For a complete list of new and modified rules please see: https://www.snort.org/advisories -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFUx80xQLjqI2QiHVMRAvgyAJ4i4BtN6tT8rbRFuADxU9Q5XFkt2QCfWyFr 92zwsadqdriaRWRP5EFdlFc= =Q9n5 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Jamie Riden / jamie () honeynet org<mailto:jamie () honeynet org> / jamie.riden () gmail com<mailto:jamie.riden () gmail com> http://uk.linkedin.com/in/jamieriden ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27, (continued)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Dalton, Gerry (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Alex McDonnell (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jamie Riden (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Mike Hale (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 lists () packetmail net (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 lists () packetmail net (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 lists () packetmail net (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Feb 05)