Snort mailing list archives
Re: Snort-sigs Digest, Vol 12, Issue 50
From: 6vector9telemetry--- via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 8 Jun 2018 11:49:56 -0400
Obviously, his Trojan was discovered and blocked, now he is upset. Confidentiality Notice: The information contained in this communication, including attachments, is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader is not the intended recipient, or the employee, or the agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us by return email or telephone immediately. Thank you.
On Jun 8, 2018, at 11:03 AM, Mkultra via Snort-sigs <snort-sigs () lists snort org> wrote: rastus caint afford a "real" ids Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐On June 8, 2018 9:21 AM, Ashlee Benge <abenge () sourcefire com> wrote: Yaser, We have reviewed the rules you submitted for CVE-2017-8570. Unfortunately, due to the obfuscation method used in the samples and a lack of static content matches, performance concerns prevent us from adding these rules to the ruleset.On Tue, May 29, 2018 at 1:24 PM, <snort-sigs-request () lists snort org> wrote: Send Snort-sigs mailing list submissions to snort-sigs () lists snort org To subscribe or unsubscribe via the World Wide Web, visit https://lists.snort.org/mailman/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists snort org You can reach the person managing the list at snort-sigs-owner () lists snort org When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Win.Trojan.Dropper (O C) 2. CVE-2017-8570 (O C) ---------------------------------------------------------------------- Message: 1 Date: Tue, 29 May 2018 17:23:40 +0000 From: O C <snort () outlook com> To: snort-sigs <snort-sigs () lists snort org> Subject: [Snort-sigs] Win.Trojan.Dropper Message-ID: <BN6PR1701MB18437AD38F6A61C998EECA4AA86D0 () BN6PR1701MB1843 namprd17 prod outlook com> Content-Type: text/plain; charset="iso-8859-1" Hi, This downloader uses a rather unique User-Agent. Pcap is available for this one. # -------------------- # Date: 2018-05-28 # Title: Win.Trojan.Dropper # Tests: pcap # Reference: https://www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - Win.Trojan.Dropper"; flow:to_server,established; content:"User-Agent: HTTPREAD|0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/detection; classtype:trojan-activity; sid:8000074; rev:1;) Thanks. YM -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/d40e7252/attachment-0001.html> ------------------------------ Message: 2 Date: Tue, 29 May 2018 17:24:12 +0000 From: O C <snort () outlook com> To: snort-sigs <snort-sigs () lists snort org> Subject: [Snort-sigs] CVE-2017-8570 Message-ID: <BN6PR1701MB184314ADF9539049956466D5A86D0 () BN6PR1701MB1843 namprd17 prod outlook com> Content-Type: text/plain; charset="iso-8859-1" Hi, This one is similar to the existing signatures 45415 and 45416. The only difference is that is uses the StdOleLink Moniker as opposed to the Composite Moiker. There are 2 versions for each rule. The first one is without using PCRE. The samples I worked with had the moniker slightly manipulated, and PCRE was a perfect fit. Pcaps available for these. Note that the sample documents contain multiple exploits and not just one. # -------------------- # Date: 2018-05-06 # Title: CVE-2017-8570 StdOleLink # Reference: https://www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection, https://www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection # Tests: pcap alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000070; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000071; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - NON-PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; content:"C6AFABEC197FD211978E0000F8757E2A"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000072; rev:1;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF StdOleLink Moniker object creation attempt - PCRE"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|5C|objupdate"; content:"003000000000000C000000000000046"; distance:0; fast_pattern; nocase; pcre:"/[ABCDEF0-9\x20\x0a\x0d0a]{32}/"; distance:0; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-8570; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8570; reference:url,www.virustotal.com/#/file/bebd4cd9aece49fbe6e7024e239638004358ff87d02f9bd4328993409da9e17c/detection; reference:url,www.virustotal.com/#/file/af9ed7de1d9d9d38ee12ea2d3c62ab01a79c6f4b241c02110bac8a53ea9798b5/detection; classtype:attempted-user; sid:8000073; rev:1;) Thanks. YM -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180529/aafa85a1/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Please visit http://blog.snort.org for the latest news about Snort! ------------------------------ End of Snort-sigs Digest, Vol 12, Issue 50 ******************************************-- Ashlee Benge Detection Response Team Talos Group_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Re: Snort-sigs Digest, Vol 12, Issue 50 Ashlee Benge (Jun 08)
- Re: Snort-sigs Digest, Vol 12, Issue 50 Mkultra via Snort-sigs (Jun 08)
- Re: Snort-sigs Digest, Vol 12, Issue 50 Mkultra via Snort-sigs (Jun 08)
- Re: Snort-sigs Digest, Vol 12, Issue 50 6vector9telemetry--- via Snort-sigs (Jun 08)
- Re: Snort-sigs Digest, Vol 12, Issue 50 Joel Esler (jesler) via Snort-sigs (Jun 11)
- Re: Snort-sigs Digest, Vol 12, Issue 50 6vector9telemetry--- via Snort-sigs (Jun 08)
- Re: Snort-sigs Digest, Vol 12, Issue 50 Y M via Snort-sigs (Jun 08)