Snort mailing list archives
Re: Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path"
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 11 Sep 2013 12:16:48 -0400
Nathan, Thanks. Oddly enough I am testing a rule like that right now in our test systems. Our concern is false positive rate because of the generic structure. If we test okay on it, I’ll move that rule to the community ruleset one committed. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Sep 11, 2013, at 10:17 AM, lists () packetmail net wrote:
I'll let you convert this into VRT format, this was originally shared at https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-September/022768.html and I'm turning it over to VRT COMMUNITY as well, thanks! I'm seeing some pretty big win here, thoughts? I've regression tested this from 8/01+ with no false positives and only true win. Credits to V.L. on the sig with only some minor changes from me. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70,norm; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:x; rev:1;) Some regression testing: select distinct date_time,http_status,url from webwasher_full where day>='2013-08-01' and url rlike 'http:\\/\\/[^\\x2f]+\\/[a-f0-9]{5,}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\.php'; [03/Aug/2013:10:28:59 -0600] 200 hxxp://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php [03/Aug/2013:10:29:00 -0600] 404 hxxp://englishrussia.com/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php?rbEDuLUoFqICzm=QopeL&XZqnudoETeUCNOZ=qWBINMtQWv [12/Aug/2013:07:21:08 -0600] 502 hxxp://cwszsk.qwe1.nameswilcherilyntypes.com/8fea3c/joy_discs/letter-sometimes.php [19/Aug/2013:09:54:33 -0600] 200 hxxp://bnaafv.t1.domainswellngtons.com/065952/factors-survives_altering/merely-calling_regulations-book.php [19/Aug/2013:09:54:36 -0600] 404 hxxp://www.ifcsutah.com/065952/factors-survives_altering/merely-calling_regulations-book.php?PvxbnFCXy=ksdQav&LgZxC=ZgPitLAMjjO [19/Aug/2013:16:04:13 -0600] 502 hxxp://sbwbwz.www3.localsearcherstuners.net/104aa6/mechanism-ultimately/advertises-discover-operations.php [20/Aug/2013:12:00:43 -0600] 502 hxxp://vnbxmr.ll2.domaindcomsdoctoriss.com/49bcde/repeats_stayed_fields/wanting-introducing.php [26/Aug/2013:13:39:25 -0600] 200 hxxp://tsnvht.asd2.domainswealthynodes.com/96f500/governor-via-strength-wondering/whose-somewhere-nevertheless.php [26/Aug/2013:14:11:05 -0600] 200 hxxp://xdsbhi.zxc1.domainswealthynodes.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php [26/Aug/2013:14:11:06 -0600] 404 hxxp://www.trainingap.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php?TtESMCoBkbMAGl=iWUpOduLQTx&tvtbkQDqLDxm=MOiVhdpSSzXjm [28/Aug/2013:11:13:31 -0600] 200 hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/company-lorries/released_arises.php [28/Aug/2013:11:13:34 -0600] 404 hxxp://www.lincolncountyco.us/5ca711/company-lorries/released_arises.php?HpMUFQISFd=PqYLvOpvsEO&hDmbxLVL=veGgPauJiKqpP [28/Aug/2013:11:14:18 -0600] 404 hxxp://www.lincolncountyco.us/5ca711/constant-putting/allowed_greater_removes.php?BfCRSa=PMlCcqB&rfvRRZlpbQlYIq=yYslQpJrgrktX [28/Aug/2013:11:14:18 -0600] 200 hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/constant-putting/allowed_greater_removes.php [29/Aug/2013:13:29:09 -0600] 200 hxxp://nmztle.www2.domainsegghipesunic.net/bcb655/remembered-cumming/derives-sun-restores_limited.php [29/Aug/2013:13:29:13 -0600] 404 hxxp://www.lincolncountyco.us/bcb655/remembered-cumming/derives-sun-restores_limited.php?YfjJvzOWjghc=DOfqfbhq&HaEMS=BfYzdzC [03/Sep/2013:15:31:23 -0600] 200 hxxp://kxwubnxvbxkn.qwe3.wyearsale.net/21b37/jobs-acted/opinions-obtains-flied-belongs.php [03/Sep/2013:15:31:25 -0600] 404 hxxp://domainseercher.pw/21b37/jobs-acted/opinions-obtains-flied-belongs.php?byVHMcyU=ctZxaastsBksZ&xFZSrsWAeoQp=pnImtrixlywjKp PCRE Testing: PCRE version 8.12 2011-01-15 re> /\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/ data> http://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php 0: /af1049/rarely-everywhere_pocket-implying/however-consist-checked.php data> ^C Cheers, Nathan Fowler ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path" lists () packetmail net (Sep 11)
- Re: Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path" Joel Esler (Sep 11)