Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS High Probability Blackhole Landing with catch qq"

[Matt Olney <molney () sourcefire com>]

Um...

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq
structure"; flow:established,from_server; content:")|3b|}catch(qq";
fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;)

THE WAY would be to add file_data; before the content match and remove
fast_pattern:only;  That would be a standardized formatting issue rather
than anything that would affect the performance of the rule.  We remove
fast_pattern:only; because it allows the match outside of the file_data
buffer (not that that would matter in this case, you're not going to see
}catch{qq anywhere else.

Because it is a file, and you're not using any http_inspect buffers, we'd
use $FILE_DATA_PORTS in case it is delivered via mail (saw one like that
yesterday).

Since you're associating with an exploit kit, rather than an active trojan,
and given that exploits are typically aimed at user applications, I'd use
classtype:attempted-user;

So WE would probably write it something like:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"COMMUNITY
SPECIFIC-THREATS Possible Blackhole landing page with specific catch qq
structure"; flow:to_client,established; file_data;
content:")|3b|}catch(qq"; classtype:attempted-user; sid:x; rev:1;)

Again, primarily cosmetic changes, and does nothing, in this simple case,
to modify the functionality of the rule.

Matt

On Wed, Feb 29, 2012 at 12:39 PM, Community Proposed
<lists () packetmail net>wrote:

> Below is a proposed signature to detect the try{ catch()} approaches used
> by
> the Blackhole exploit kits which to date share a commonality with the
> attachment to "catch(qq".  Looking at all of my PCAP samples these match
> nicely, perform well, and have not been prone to false positives.
>
> This is also doing very well in detecting new Blackhole initial landings
> and
> the various, near daily, changing permutations of the string
> splitting/building methods.  I am seeing a large presence of legitimate
> sites
> which have been compromised now delivering Blackhole.  Some of these are
> k12
> US education/school sites.
>
> 21438 can be retired in place of the proposed above.  Joel, existing PCAPs
> for
> Blackhole landings should suffice for validation of the above, if more are
> needed, please let me know.
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY
> SPECIFIC-THREATS High Probability Blackhole Landing with specific catch qq
> structure"; flow:established,from_server; content:")|3b|}catch(qq";
> fast_pattern:only; classtype:trojan-activity; sid:x; rev:1;)
>
> I know there is a VRT standard for writing these, please respond to me
> after
> transforming the rule for compliance so that future submissions can adhere
> to
> this standard.  The reference from 21438 can be used here.
>
> Thanks,
> Nathan
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!