Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS - Bredolab infected asset POSTing check-in"

[Community Signatures <lists () packetmail net>]

On 03/12/12 13:39, Joel Esler wrote:
> Nathan --
>
> I rewrote the rule as such:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BOTNET-CNC Trojan.Bredolab variant outbound connection"; 
> flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; 
> content:"smk="; depth:4; http_client_body; 
> reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/ 
> <http://www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/>; 
> classtype:trojan-activity; sid:21562; rev:1;)
>
> Do you see anything wrong there?  I tested it against the pcap you sent
> us as well as an internally generated pcap against the family of
> malware. And it fires fine.

I think this is better way to have written this, thanks.  The abnormal
header ordering and UA is unique enough coupled with the HTTP POST
payload we should not see false positives.

It didn't occur to me to use 'depth:4; http_client_body;' as a way to
avoid the unnecessary PCRE.

Thanks Joel!

Thanks,
Nathan

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!