Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"
From: Matt Olney <molney () sourcefire com>
Date: Wed, 29 Feb 2012 16:19:34 -0500
Um... alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq structure"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;) THE WAY would be to add file_data; before the content match and remove fast_pattern:only; That would be a standardized formatting issue rather than anything that would affect the performance of the rule. We remove fast_pattern:only; because it allows the match outside of the file_data buffer (not that that would matter in this case, you're not going to see }catch{qq anywhere else. Because it is a file, and you're not using any http_inspect buffers, we'd use $FILE_DATA_PORTS in case it is delivered via mail (saw one like that yesterday). Since you're associating with an exploit kit, rather than an active trojan, and given that exploits are typically aimed at user applications, I'd use classtype:attempted-user; So WE would probably write it something like: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"COMMUNITY SPECIFIC-THREATS Possible Blackhole landing page with specific catch qq structure"; flow:to_client,established; file_data; content:")|3b|}catch(qq"; classtype:attempted-user; sid:x; rev:1;) Again, primarily cosmetic changes, and does nothing, in this simple case, to modify the functionality of the rule. Matt On Wed, Feb 29, 2012 at 12:39 PM, Community Proposed <lists () packetmail net>wrote:
Below is a proposed signature to detect the try{ catch()} approaches used by the Blackhole exploit kits which to date share a commonality with the attachment to "catch(qq". Looking at all of my PCAP samples these match nicely, perform well, and have not been prone to false positives. This is also doing very well in detecting new Blackhole initial landings and the various, near daily, changing permutations of the string splitting/building methods. I am seeing a large presence of legitimate sites which have been compromised now delivering Blackhole. Some of these are k12 US education/school sites. 21438 can be retired in place of the proposed above. Joel, existing PCAPs for Blackhole landings should suffice for validation of the above, if more are needed, please let me know. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq structure"; flow:established,from_server; content:")|3b|}catch(qq"; fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;) I know there is a VRT standard for writing these, please respond to me after transforming the rule for compliance so that future submissions can adhere to this standard. The reference from 21438 can be used here. Thanks, Nathan ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Proposed (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Community Signatures (Feb 29)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq" Matt Olney (Feb 29)