Snort mailing list archives
Re: Payload not fitting rule content detection on snort + snorby
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 8 Sep 2015 09:30:20 -0400
On 09/07/2015 03:45 AM, Txalin wrote:
# cat snort.rules | grep "MALWARE-TOOLS Win.Trojan.Dridex dropper message" alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-TOOLS Win.Trojan.Dridex dropper message"; flow:to_server,established; file_data; content:"X-mailer: Synapse - Pascal TCP/IP library by Lukas Gebauer"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/ <http://www.virustotal.com/en/file/d56e7dea0e119f9a37f2cb7915c3aca0056064a8cc2bd373f2a9a8d97d548c43/analysis/>; classtype:trojan-activity; sid:34945; rev:1;)
while i cannot help with your problem, i do want to point out that the content stream that rule is using is an extremely poor choice to be using for detection of dridex or any other malware... that string is the default value for the X-Mailer field in that popular free open source PASCAL code library... i use the very same library here in my own projects... the library, itself, has nothing to do with malware of any type... the coder(s) of the malware in question simply have not placed a proper name for the mailer in their project... that or they are rotating valid strings like is seen with user agent strings... [sarcasm] i'm sure that lucas gebauer will be overjoyed to see his name abused like that... [/sarcasm] -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Payload not fitting rule content detection on snort + snorby Txalin (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby Joel Esler (jesler) (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby Al Lewis (allewi) (Sep 07)
- Re: Payload not fitting rule content detection on snort + snorby waldo kitty (Sep 08)
- Re: Payload not fitting rule content detection on snort + snorby Joel Esler (jesler) (Sep 07)