Re: UTF-8 BOM

[Joel Esler <jesler () sourcefire com>]

Yup. Caught those already. I'm testing them. 

--
Joel Esler
Sent from my iPhone 

On Apr 9, 2013, at 3:06 PM, rmkml <rmkml () yahoo fr> wrote:

> Hi,
>
> Thx for sharing,
>
> -maybe change B4 to 4B ?
>
> -for http sig, maybe add H on pcre ?
>
> Best Regards
> Rmkml
>
>
> On Mon, 8 Apr 2013, Joel Esler wrote:
>
> > On Apr 8, 2013, at 4:22 PM, James Lay <jlay () slave-tothe-box net> wrote:
> >      On 2013-04-08 14:10, Joel Esler wrote:
> >            How about something like this James?  (Three rules)
> >
> >            alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
> >            UTF-8 BOM in zip file attachment detected";
> >            flow:to_server,established; content:".zip"; fast_pattern:only;
> >            content:"Content-Disposition: attachment|3B|"; content:"filename=";
> >            nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
> >            content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
> >            drop, policy security-ips drop, ruleset community, service smtp;
> >            
> > reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
> >            classtype:trojan-activity;)
> >
> >            alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any
> >            (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
> >            flow:to_client,established; content:".zip"; fast_pattern:only;
> >            content:"Content-Disposition: attachment|3B|"; content:"filename=";
> >            nocase; pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
> >            content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
> >            drop, policy security-ips drop, ruleset community, service imap,
> >            service pop3;
> >            
> > reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
> >            classtype:trojan-activity;)
> >
> >            alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> >            (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected";
> >            flow:to_client,established; content:".zip"; fast_pattern:only;
> >            http_header; content:"filename="; nocase; http_header;
> >            pcre:"/filename=[^\n]*?\x2ezip[\x22\x27\s]/si"; file_data;
> >            content:"|EF BB BF 50 B4|"; depth:5; metadata:policy balanced-ips
> >            drop, policy security-ips drop, ruleset community, service http;
> >            
> > reference:url,http://blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zip-signature-to-evade-detection;
> >            classtype:trojan-activity;)
> >
> >      Dammit Joel...you're always look so much better than mine :P  As always, thanks a bunch :)
> > :D
> > Alright, I have these in the test system, let's see how they do.
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!