Snort mailing list archives

Re: Payload not fitting rule content detection on snort + snorby

From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 8 Sep 2015 09:30:20 -0400

On 09/07/2015 03:45 AM, Txalin wrote:

# cat snort.rules | grep "MALWARE-TOOLS Win.Trojan.Dridex dropper message"
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS
Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data;
content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service smtp;
reference:url,www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/
<http://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/>;
classtype:trojan-activity; sid:34945; rev:1;)


while i cannot help with your problem, i do want to point out that the content 
stream that rule is using is an extremely poor choice to be using for detection 
of dridex or any other malware... that string is the default value for the 
X-Mailer field in that popular free open source PASCAL code library... i use the 
very same library here in my own projects... the library, itself, has nothing to 
do with malware of any type... the coder(s) of the malware in question simply 
have not placed a proper name for the mailer in their project... that or they 
are rotating valid strings like is seen with user agent strings...

[sarcasm] i'm sure that lucas gebauer will be overjoyed to see his name abused 
like that... [/sarcasm]

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Payload not fitting rule content detection on snort + snorby Txalin (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby Joel Esler (jesler) (Sep 07)
  - Re: Payload not fitting rule content detection on snort + snorby Al Lewis (allewi) (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby waldo kitty (Sep 08)