Snort mailing list archives
Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 5 Mar 2012 10:48:41 -0500
Nathan, I changed our rule to this: alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1.6|0D 0A|"; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:21417; rev:3;) It fires perfectly. Thanks for the update. Joel On Mar 5, 2012, at 10:36 AM, Joel Esler wrote:
Thanks Nathan, I'm taking a look at this now. On Mar 5, 2012, at 9:24 AM, Community Proposed wrote:Please adjust 21417 to these content matches: file_data; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; content:"|0d 0a|%PDF-1.6|0d 0a|"; content:"|0d 0a 31 39 20 30 20 6f 62 6a 0d 0a|"; distance:0; The author string appears to be random or varying, however, the PDF header/objects and CreationDate are consistent. "bub lob" variant: 0x0000: 4500 0514 0ce9 4000 3106 8081 1fb8 c023 E.....@.1......# 0x0010: 0ad7 ccc7 0050 0662 84ea 8112 ad99 a242 .....P.b.......B 0x0020: 5010 0037 0a3d 0000 4854 5450 2f31 2e31 P..7.=..HTTP/1.1 0x0030: 2032 3030 204f 4b0d 0a44 6174 653a 2054 .200.OK..Date:.T 0x0040: 7565 2c20 3134 2046 6562 2032 3031 3220 ue,.14.Feb.2012. 0x0050: 3133 3a35 303a 3536 2047 4d54 0d0a 5365 13:50:56.GMT..Se 0x0060: 7276 6572 3a20 4170 6163 6865 2f32 2e32 rver:.Apache/2.2 0x0070: 2e33 2028 4365 6e74 4f53 290d 0a58 2d50 .3.(CentOS)..X-P 0x0080: 6f77 6572 6564 2d42 793a 2050 4850 2f35 owered-By:.PHP/5 0x0090: 2e33 2e38 0d0a 4163 6365 7074 2d52 616e .3.8..Accept-Ran 0x00a0: 6765 733a 2062 7974 6573 0d0a 436f 6e74 ges:.bytes..Cont 0x00b0: 656e 742d 4c65 6e67 7468 3a20 3531 3339 ent-Length:.5139 0x00c0: 0d0a 436f 6e74 656e 742d 4469 7370 6f73 ..Content-Dispos 0x00d0: 6974 696f 6e3a 2069 6e6c 696e 653b 2066 ition:.inline;.f 0x00e0: 696c 656e 616d 653d 3937 3130 2e70 6466 ilename=9710.pdf 0x00f0: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c ..Connection:.cl 0x0100: 6f73 650d 0a43 6f6e 7465 6e74 2d54 7970 ose..Content-Typ 0x0110: 653a 2061 7070 6c69 6361 7469 6f6e 2f70 e:.application/p 0x0120: 6466 0d0a 0d0a 2550 4446 2d31 2e36 0d0a df....%PDF-1.6.. 0x0130: 25e2 e3cf d30d 0a31 3920 3020 6f62 6a0d %......19.0.obj. 0x0140: 0a3c 3c2f 4669 6c74 6572 2f46 6c61 7465 .<</Filter/Flate 0x0150: 4465 636f 6465 202f 4c65 6e67 7468 2032 Decode./Length.2 0x0160: 343e 3e0d 0a73 7472 6561 6d0d 0a78 9c8d 4>>..stream..x.. 0x0170: 58db 6edc 3678 9c8d 58db 6edc 3678 9c8d X.n.6x..X.n.6x.. 0x0180: 58db 6edc 360d 0a65 6e64 7374 7265 616d X.n.6..endstream 0x0190: 0d0a 656e 646f 626a 0d0a 3120 3020 6f62 ..endobj..1.0.ob 0x01a0: 6a0d 0a3c 3c2f 5479 7065 2f50 6167 6520 j..<</Type/Page. 0x01b0: 2f50 6172 656e 7420 3520 3020 5220 2f52 /Parent.5.0.R./R 0x01c0: 6573 6f75 7263 6573 2031 3220 3020 5220 esources.12.0.R. 0x01d0: 2f4d 6564 6961 426f 7820 5b30 2030 2035 /MediaBox.[0.0.5 0x01e0: 3935 2038 3432 5d20 2f43 6f6e 7465 6e74 95.842]./Content 0x01f0: 7320 3139 2030 2052 202f 526f 7461 7465 s.19.0.R./Rotate 0x0200: 2030 3e3e 0d0a 656e 646f 626a 0d0a 3520 .0>>..endobj..5. 0x0210: 3020 6f62 6a20 0d0a 3c3c 2f43 6f75 6e74 0.obj...<</Count 0x0220: 2032 202f 4b69 6473 205b 3120 3020 525d .2./Kids.[1.0.R] 0x0230: 202f 5479 7065 2f50 6167 6573 3e3e 0d0a ./Type/Pages>>.. 0x0240: 656e 646f 626a 0d0a 3620 3020 6f62 6a0d endobj..6.0.obj. 0x0250: 0a3c 3c2f 5479 7065 2f46 6f6e 7420 2f53 .<</Type/Font./S 0x0260: 7562 7479 7065 2f54 7970 6531 202f 4261 ubtype/Type1./Ba 0x0270: 7365 466f 6e74 2f54 696d 6573 2d52 6f6d seFont/Times-Rom 0x0280: 616e 202f 4e61 6d65 2f46 3120 2f45 6e63 an./Name/F1./Enc 0x0290: 6f64 696e 672f 5769 6e41 6e73 6945 6e63 oding/WinAnsiEnc 0x02a0: 6f64 696e 673e 3e0d 0a65 6e64 6f62 6a0d oding>>..endobj. 0x02b0: 0a31 3220 3020 6f62 6a0d 0a3c 3c2f 5072 .12.0.obj..<</Pr 0x02c0: 6f63 5365 7420 5b2f 5850 4446 202f 5465 ocSet.[/XPDF./Te 0x02d0: 7874 202f 496d 6167 6542 202f 496d 6167 xt./ImageB./Imag 0x02e0: 6543 202f 496d 6167 6549 5d20 2f46 6f6e eC./ImageI]./Fon 0x02f0: 7420 3c3c 2f46 3120 3620 3020 523e 3e20 t.<</F1.6.0.R>>. 0x0300: 2f58 4f62 6a65 6374 203c 3c3e 3e3e 3e0d /XObject.<<>>>>. 0x0310: 0a65 6e64 6f62 6a0d 0a39 2030 206f 626a .endobj..9.0.obj 0x0320: 203c 3c2f 5469 746c 6520 2028 7661 2920 .<</Title..(va). 0x0330: 2f53 7562 6a65 6374 2028 6576 2920 2f41 /Subject.(ev)./A 0x0340: 7574 686f 7220 2879 7670 2064 6576 6f29 uthor.(yvp.devo) 0x0350: 202f 4372 6561 746f 7220 2862 7562 206c ./Creator.(bub.l 0x0360: 6f62 2920 2f43 7265 6174 696f 6e44 6174 ob)./CreationDat 0x0370: 6520 2844 3a32 3031 3130 3430 3532 3334 e.(D:20110405234 0x0380: 3632 3829 3e3e 0d0a 656e 646f 626a 0d0a 628)>>..endobj.. 0x0390: 3239 2030 206f 626a 0d0a 3c3c 2f54 7970 29.0.obj..<</Typ 0x03a0: 652f 456d 6265 6464 6564 4669 6c65 202f e/EmbeddedFile./ 0x03b0: 4669 6c74 6572 2f46 6c61 7465 4465 636f Filter/FlateDeco 0x03c0: 6465 202f 4c65 6e67 7468 2031 3332 3e3e de./Length.132>> 0x03d0: 0d0a 7374 7265 616d 0d0a 789c b3b1 afc8 ..stream..x..... 0x03e0: cd51 284b 2d2a cecc cfb3 5532 d433 5052 .Q(K-*....U2.3PR 0x03f0: 48cd 4bce 4fc9 cc4b b755 0d0a 656e 6473 H.K.O..K.U..ends 0x0400: 7472 6561 6d0d 0a65 6e64 6f62 6a0d 0a38 tream..endobj..8 0x0410: 2030 206f 626a 2020 0d0a 3c3c 2f46 696c .0.obj....<</Fil 0x0420: 7465 7220 2f46 6c61 7465 4465 636f 6465 ter./FlateDecode 0x0430: 2020 2f4c 656e 6774 6820 3331 3836 3e3e ../Length.3186>> 0x0440: 0d0a 7374 7265 616d 0d0a 789c ed9d e96f ..stream..x....o "yfvfp" variant: 0x0000: 4500 0514 64f0 4000 3106 54c0 5bd3 581a E...d.@.1.T.[.X. 0x0010: 0ad7 cc6f 0050 06b6 42c5 013b 8a6d 20d7 ...o.P..B..;.m.. 0x0020: 5010 169e 40ac 0000 4854 5450 2f31 2e31 P... () HTTP/1.1 0x0030: 2032 3030 204f 4b0d 0a44 6174 653a 2053 .200.OK..Date:.S 0x0040: 756e 2c20 3034 204d 6172 2032 3031 3220 un,.04.Mar.2012. 0x0050: 3034 3a31 313a 3134 2047 4d54 0d0a 5365 04:11:14.GMT..Se 0x0060: 7276 6572 3a20 4170 6163 6865 2f32 2e32 rver:.Apache/2.2 0x0070: 2e33 2028 4365 6e74 4f53 290d 0a58 2d50 .3.(CentOS)..X-P 0x0080: 6f77 6572 6564 2d42 793a 2050 4850 2f35 owered-By:.PHP/5 0x0090: 2e33 2e38 0d0a 4163 6365 7074 2d52 616e .3.8..Accept-Ran 0x00a0: 6765 733a 2062 7974 6573 0d0a 436f 6e74 ges:.bytes..Cont 0x00b0: 656e 742d 4c65 6e67 7468 3a20 3531 3931 ent-Length:.5191 0x00c0: 0d0a 436f 6e74 656e 742d 4469 7370 6f73 ..Content-Dispos 0x00d0: 6974 696f 6e3a 2069 6e6c 696e 653b 2066 ition:.inline;.f 0x00e0: 696c 656e 616d 653d 3135 3538 2e70 6466 ilename=1558.pdf 0x00f0: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c ..Connection:.cl 0x0100: 6f73 650d 0a43 6f6e 7465 6e74 2d54 7970 ose..Content-Typ 0x0110: 653a 2061 7070 6c69 6361 7469 6f6e 2f70 e:.application/p 0x0120: 6466 0d0a 0d0a 2550 4446 2d31 2e36 0d0a df....%PDF-1.6.. 0x0130: 25e2 e3cf d30d 0a31 3920 3020 6f62 6a0d %......19.0.obj. 0x0140: 0a3c 3c2f 4669 6c74 6572 2f46 6c61 7465 .<</Filter/Flate 0x0150: 4465 636f 6465 202f 4c65 6e67 7468 2032 Decode./Length.2 0x0160: 343e 3e0d 0a73 7472 6561 6d0d 0a78 9c8d 4>>..stream..x.. 0x0170: 58db 6edc 3678 9c8d 58db 6edc 3678 9c8d X.n.6x..X.n.6x.. 0x0180: 58db 6edc 360d 0a65 6e64 7374 7265 616d X.n.6..endstream 0x0190: 0d0a 656e 646f 626a 0d0a 3120 3020 6f62 ..endobj..1.0.ob 0x01a0: 6a0d 0a3c 3c2f 5479 7065 2f50 6167 6520 j..<</Type/Page. 0x01b0: 2f50 6172 656e 7420 3520 3020 5220 2f52 /Parent.5.0.R./R 0x01c0: 6573 6f75 7263 6573 2031 3220 3020 5220 esources.12.0.R. 0x01d0: 2f4d 6564 6961 426f 7820 5b30 2030 2035 /MediaBox.[0.0.5 0x01e0: 3935 2038 3432 5d20 2f43 6f6e 7465 6e74 95.842]./Content 0x01f0: 7320 3139 2030 2052 202f 526f 7461 7465 s.19.0.R./Rotate 0x0200: 2030 3e3e 0d0a 656e 646f 626a 0d0a 3520 .0>>..endobj..5. 0x0210: 3020 6f62 6a20 0d0a 3c3c 2f43 6f75 6e74 0.obj...<</Count 0x0220: 2032 202f 4b69 6473 205b 3120 3020 525d .2./Kids.[1.0.R] 0x0230: 202f 5479 7065 2f50 6167 6573 3e3e 0d0a ./Type/Pages>>.. 0x0240: 656e 646f 626a 0d0a 3620 3020 6f62 6a0d endobj..6.0.obj. 0x0250: 0a3c 3c2f 5479 7065 2f46 6f6e 7420 2f53 .<</Type/Font./S 0x0260: 7562 7479 7065 2f54 7970 6531 202f 4261 ubtype/Type1./Ba 0x0270: 7365 466f 6e74 2f54 696d 6573 2d52 6f6d seFont/Times-Rom 0x0280: 616e 202f 4e61 6d65 2f46 3120 2f45 6e63 an./Name/F1./Enc 0x0290: 6f64 696e 672f 5769 6e41 6e73 6945 6e63 oding/WinAnsiEnc 0x02a0: 6f64 696e 673e 3e0d 0a65 6e64 6f62 6a0d oding>>..endobj. 0x02b0: 0a31 3220 3020 6f62 6a0d 0a3c 3c2f 5072 .12.0.obj..<</Pr 0x02c0: 6f63 5365 7420 5b2f 5850 4446 202f 5465 ocSet.[/XPDF./Te 0x02d0: 7874 202f 496d 6167 6542 202f 496d 6167 xt./ImageB./Imag 0x02e0: 6543 202f 496d 6167 6549 5d20 2f46 6f6e eC./ImageI]./Fon 0x02f0: 7420 3c3c 2f46 3120 3620 3020 523e 3e20 t.<</F1.6.0.R>>. 0x0300: 2f58 4f62 6a65 6374 203c 3c3e 3e3e 3e0d /XObject.<<>>>>. 0x0310: 0a65 6e64 6f62 6a0d 0a39 2030 206f 626a .endobj..9.0.obj 0x0320: 203c 3c2f 5375 626a 6563 7420 2867 6664 .<</Subject.(gfd 0x0330: 6573 6466 6476 2920 2f54 6974 6c65 2020 esdfdv)./Title.. 0x0340: 2867 7376 6466 6466 6461 2920 2f41 7574 (gsvdfdfda)./Aut 0x0350: 686f 7220 2879 6676 6670 2064 6664 6665 hor.(yfvfp.dfdfe 0x0360: 766f 2920 2f43 7265 6174 6f72 2028 6267 vo)./Creator.(bg 0x0370: 6666 7562 206c 6f64 6661 6229 202f 4372 ffub.lodfab)./Cr 0x0380: 6561 7469 6f6e 4461 7465 2028 443a 3230 eationDate.(D:20 0x0390: 3131 3034 3035 3233 3436 3238 293e 3e0d 110405234628)>>. 0x03a0: 0a65 6e64 6f62 6a0d 0a32 3920 3020 6f62 .endobj..29.0.ob 0x03b0: 6a0d 0a3c 3c2f 5479 7065 2f45 6d62 6564 j..<</Type/Embed 0x03c0: 6465 6446 696c 6520 2f46 696c 7465 722f dedFile./Filter/ 0x03d0: 466c 6174 6544 6563 6f64 6520 2f4c 656e FlateDecode./Len 0x03e0: 6774 6820 333e 3e0d 0a73 7472 6561 6d0d gth.3>>..stream. 0x03f0: 0a61 7364 0d0a 656e 6473 7472 6561 6d0d .asd..endstream. 0x0400: 0a65 6e64 6f62 6a0d 0a38 2030 206f 626a .endobj..8.0.obj 0x0410: 2020 0d0a 3c3c 2020 202f 4669 6c74 6572 ....<<.../Filter 0x0420: 202f 466c 6174 6544 6563 6f64 6520 202f ./FlateDecode../ 0x0430: 4c65 6e67 7468 2033 3138 363e 3e0d 0a73 Length.3186>>..s 0x0440: 7472 6561 6d0d 0a78 9ced 9d69 6f1b 4712 tream..x...io.G. Thanks, Nathan
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Community Proposed (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 29)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" waldo kitty (Mar 30)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 31)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Joel Esler (Mar 05)
- Re: Necessary Change for "1:21417 <-> SPECIFIC-THREATS hostile PDF associated with Laik exploit kit" Dave Venman (Mar 31)