Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multiple signatures 006

From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Fri, 27 Jul 2018 08:34:42 -0400
On Wed, Jul 25, 2018 at 9:39 AM, Y M via Snort-sigs <
snort-sigs () lists snort org> wrote:


Hi,

Pcaps are available for some of the signatures below.

# --------------------
# Date: 2018-07-24
# Title: User-Agents of IoT Scanners
# Reference: Research
# Tests: pcap
# Confidence: medium
# Notes: These are UAs seen in inbound IoT scanners. Howerver, we don't
care for inbound traffic
#        since there are rules to detect the exploits, and they are noisy.
Rather, we use the
#        UAs for outbound traffic from the "protected" IoT network, just
in case.

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT
scanner User-Agent outbound connection detected - Gemini";
flow:to_server,established; content:"User-Agent: Gemini/";
fast_pattern:only; http_header; metadata:ruleset community, service http;
classtype:attempted-admin; sid:8000202; rev:1;)

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT
scanner User-Agent outbound connection detected - Hakai";
flow:to_server,established; content:"User-Agent: Hakai/";
fast_pattern:only; http_header; metadata:ruleset community, service http;
classtype:attempted-admin; sid:8000203; rev:1;)

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT
scanner User-Agent outbound connection detected - Hello, World";
flow:to_server,established; content:"User-Agent: Hello, World";
fast_pattern:only; http_header; metadata:ruleset community, service http;
classtype:attempted-admin; sid:8000204; rev:1;)

# --------------------
# Date: 2018-07-24
# Title: Osx.Backdoor.Calisto
# Tests: syntax only
# Reference:
#    - https://securelist.com/calisto-trojan-for-macos/86543/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Backdoor.Calisto outbound connection"; flow:to_server,established;
content:"/upload.php?username="; fast_pattern:only; http_uri;
content:"/calisto/"; http_uri; metadata:ruleset community, service http;
reference:url,securelist.com/calisto-trojan-for-macos/86543/;
classtype:trojan-activity; sid:8000205; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Backdoor.Calisto outbound connection"; flow:to_server,established;
content:"/listenyee.php"; fast_pattern:only; http_uri; content:"/calisto/";
http_uri; metadata:ruleset community, service http; reference:url,
securelist.com/calisto-trojan-for-macos/86543/;
classtype:trojan-activity; sid:8000206; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: AgentTesla SMTP Exfil.
# Reference:
#     - https://www.virustotal.com/#/file/030228c5caa62e7727e0a664ef18fd
f5663e7edbc2d2f7e5c38bf06526a5023e/detection
#     - https://www.virustotal.com/#/file/0c5f9ab0d84eada4be9e6f86cf81a2
b3dd0fbb708342eded078a152490ceb15e/detection
#     - https://www.virustotal.com/#/file/b9253b60188214a143b2b7d2b0a3b1
adb1d0834b6fc231b9da7b61c9c3184e92/detection
# Tests: pcap
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC
Win.Trojan.AgentTesla outbound SMTP connection";
flow:to_server,established; content:"|0D 0A|Subject: admin/PC Passwords
Recovered From: "; fast_pattern:only; metadata: ruleset community, service
smtp; classtype:trojan-activity; sid:8000207; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: Win.Trojan.Betabot
# Reference:
#     - https://www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba
05d754326c693941c46267506652ba0686/detection
# Tests: pcap

# Confidence: low
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Betabot variant outbound connection";
flow:to_server,established; content:"/do/logout.php?id=";
fast_pattern:only; http_uri; content:"Content-Type: application/x-www-form-urlencoded";
http_header; content:!"Connection"; http_header; content:!"Referer";
http_header; metadata:ruleset community, service http; reference:url,
www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba
05d754326c693941c46267506652ba0686/detection; classtype:trojan-activity;
sid:8000208; rev:1;)
# --------------------
# Date: 2018-07-25
# Title: Encoded binary downloads with suspicious HTTP Responses
# Reference: Research
# Tests: pcap
# Confidence: low
# Notes: Observed in Win.Worm.Urahu/Skillies traffic.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
decimal encoded binary download attempt - Win.Worm.Urahu/Skillies";
flow:to_client,established; content:"Content-type:
application/octet-stream|0D 0A|Content-Disposition: attachment|0D
0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"77
90"; metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000209; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
base64 encoded binary download attempt - Win.Worm.Urahu/Skillies";
flow:to_client,established; content:"Content-type:
application/octet-stream|0D 0A|Content-Disposition: attachment|0D
0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"TVqQ";
metadata:ruleset community, service http; classtype:trojan-activity;
sid:8000210; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: Remote administration tools
# Reference: Research
# Tests: pcap
# Confidence: medium
# Notes: This is policy only since the tools may be legitimate but
#        also outside the scope of the allowed tools per policy. Detection
#        on the network maybe considered an indicator.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote
Administration Tool detected - RemoteUtilities";
flow:to_server,established; content:"<rman_message version=";
fast_pattern:only; content:"<code>1</code>"; metadata:ruleset community;
classtype:policy-violation; sid:8000211; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote
Administration Tool detected - RemoteUtilities";
flow:to_client,established; content:"<rman_message version=";
fast_pattern:only; content:"<code>3</code>"; content:"</rman_message>";
distance:0; metadata:ruleset community; classtype:policy-violation;
sid:8000212; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote
Administration Tool detected - Imminent"; flow:to_server,established;
dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only;
metadata:ruleset community; classtype:policy-violation; sid:8000213; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote
Administration Tool detected - Imminent"; flow:to_client,established;
dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only;
content:"$"; distance:2; metadata:ruleset community;
classtype:policy-violation; sid:8000214; rev:1;)

Thanks.
YM




Hi Yaser,

We really appreciate these submissions. We will review each of them and get
back to you when finished.  We'd appreciate any pcaps you could send.  Have
a great day!

-- 
Marcos Rodriguez
Cisco Talos

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: