Re: UTF-8 BOM

[Joel Esler <jesler () sourcefire com>]

How about something like this James?  (Three rules)


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; 
flow:to_server,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; 
content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data; 
content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, 
service smtp; 
reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; 
classtype:trojan-activity;)

alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; 
flow:to_client,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; 
content:"filename="; nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data; 
content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, 
service imap, service pop3; 
reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; 
classtype:trojan-activity;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; 
flow:to_client,established; content:".zip"; fast_pattern:only; http_header; content:"filename="; nocase; http_header; 
pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data; content:"|EF BB BF 50 B4|"; depth:5; metadata:policy 
balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; 
classtype:trojan-activity;)





On Apr 8, 2013, at 3:50 PM, James Lay <jlay () slave-tothe-box net> wrote:

> It's a Monday, so let's start with something exciting:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SPECIFIC-THREATS 
> UTF-8 BOM in ZIP"; flow:to_server,established; file_data; content:"zip"; 
> content:"|EF BB BF 50 B4|"; metadata:policy balanced-ips drop, policy 
> security-ips drop, service smtp; 
> reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection; 
> classtype:trojan-activity; sid:10000045; rev:1;)
>
> Or not ;)..thoughts/cleanups/anything_that_would_make_this_useful are 
> welcome.
>
> James
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire 
> the most talented Cisco Certified professionals. Visit the 
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!