Snort mailing list archives

Re: UTF-8 BOM

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 08 Apr 2013 14:22:37 -0600

On 2013-04-08 14:10, Joel Esler wrote:

How about something like this James?  (Three rules)


alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
UTF-8 BOM in zip file attachment detected";
flow:to_server,established; content:".zip"; fast_pattern:only;
content:"Content-Disposition: attachment|3B|"; content:"filename=";
nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service smtp;

reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
classtype:trojan-activity;)

alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any
(msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
flow:to_client,established; content:".zip"; fast_pattern:only;
content:"Content-Disposition: attachment|3B|"; content:"filename=";
nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service imap,
service pop3;

reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
classtype:trojan-activity;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
flow:to_client,established; content:".zip"; fast_pattern:only;
http_header; content:"filename="; nocase; http_header;
pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;

reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
classtype:trojan-activity;)


Dammit Joel...you're always look so much better than mine :P  As 
always, thanks a bunch :)

James

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

UTF-8 BOM James Lay (Apr 08)
- Re: UTF-8 BOM Joel Esler (Apr 08)
  - Re: UTF-8 BOM James Lay (Apr 08)
    - Re: UTF-8 BOM Joel Esler (Apr 08)
    - Re: UTF-8 BOM rmkml (Apr 09)
    - Re: UTF-8 BOM Joel Esler (Apr 09)