Re: Proposed Signature for "VRT COMMUNITY Blackhole hex and wordlist initial landing and exploit path"

[Joel Esler <jesler () sourcefire com>]

Nathan,

Thanks.  Oddly enough I am testing a rule like that right now in our test systems.  Our concern is false positive rate 
because of the generic structure.  If we test okay on it, I’ll move that rule to the community ruleset one committed.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire



On Sep 11, 2013, at 10:17 AM, lists () packetmail net wrote:

> I'll let you convert this into VRT format, this was originally shared at
> https://lists.emergingthreats.net/pipermail/emerging-sigs/2013-September/022768.html
> and I'm turning it over to VRT COMMUNITY as well, thanks!
>
> I'm seeing some pretty big win here, thoughts?  I've regression tested this
> from 8/01+ with no false positives and only true win.  Credits to V.L. on the
> sig with only some minor changes from me.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Blackhole hex and wordlist initial landing and exploit path";
> flow:established,to_server; urilen:>70,norm; content:".php"; http_uri;
> fast_pattern:only;
> pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U";
> classtype:trojan-activity; sid:x; rev:1;)
>
> Some regression testing:
>
> select distinct date_time,http_status,url from webwasher_full where
> day>='2013-08-01' and url rlike
> 'http:\\/\\/[^\\x2f]+\\/[a-f0-9]{5,}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\\.php';
>
> [03/Aug/2013:10:28:59 -0600]    200
> hxxp://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
>
> [03/Aug/2013:10:29:00 -0600]    404
> hxxp://englishrussia.com/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php?rbEDuLUoFqICzm=QopeL&XZqnudoETeUCNOZ=qWBINMtQWv
>
> [12/Aug/2013:07:21:08 -0600]    502
> hxxp://cwszsk.qwe1.nameswilcherilyntypes.com/8fea3c/joy_discs/letter-sometimes.php
>
> [19/Aug/2013:09:54:33 -0600]    200
> hxxp://bnaafv.t1.domainswellngtons.com/065952/factors-survives_altering/merely-calling_regulations-book.php
>
> [19/Aug/2013:09:54:36 -0600]    404
> hxxp://www.ifcsutah.com/065952/factors-survives_altering/merely-calling_regulations-book.php?PvxbnFCXy=ksdQav&LgZxC=ZgPitLAMjjO
>
> [19/Aug/2013:16:04:13 -0600]    502
> hxxp://sbwbwz.www3.localsearcherstuners.net/104aa6/mechanism-ultimately/advertises-discover-operations.php
>
> [20/Aug/2013:12:00:43 -0600]    502
> hxxp://vnbxmr.ll2.domaindcomsdoctoriss.com/49bcde/repeats_stayed_fields/wanting-introducing.php
>
> [26/Aug/2013:13:39:25 -0600]    200
> hxxp://tsnvht.asd2.domainswealthynodes.com/96f500/governor-via-strength-wondering/whose-somewhere-nevertheless.php
>
> [26/Aug/2013:14:11:05 -0600]    200
> hxxp://xdsbhi.zxc1.domainswealthynodes.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php
>
> [26/Aug/2013:14:11:06 -0600]    404
> hxxp://www.trainingap.com/2c745d/emphasis-was-incomplete/session-circuit_father-existed.php?TtESMCoBkbMAGl=iWUpOduLQTx&tvtbkQDqLDxm=MOiVhdpSSzXjm
>
> [28/Aug/2013:11:13:31 -0600]    200
> hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/company-lorries/released_arises.php
>
> [28/Aug/2013:11:13:34 -0600]    404
> hxxp://www.lincolncountyco.us/5ca711/company-lorries/released_arises.php?HpMUFQISFd=PqYLvOpvsEO&hDmbxLVL=veGgPauJiKqpP
>
> [28/Aug/2013:11:14:18 -0600]    404
> hxxp://www.lincolncountyco.us/5ca711/constant-putting/allowed_greater_removes.php?BfCRSa=PMlCcqB&rfvRRZlpbQlYIq=yYslQpJrgrktX
>
> [28/Aug/2013:11:14:18 -0600]    200
> hxxp://autdmh.vbn3.agatarinhtonnsdusting.biz/5ca711/constant-putting/allowed_greater_removes.php
>
> [29/Aug/2013:13:29:09 -0600]    200
> hxxp://nmztle.www2.domainsegghipesunic.net/bcb655/remembered-cumming/derives-sun-restores_limited.php
>
> [29/Aug/2013:13:29:13 -0600]    404
> hxxp://www.lincolncountyco.us/bcb655/remembered-cumming/derives-sun-restores_limited.php?YfjJvzOWjghc=DOfqfbhq&HaEMS=BfYzdzC
>
> [03/Sep/2013:15:31:23 -0600]    200
> hxxp://kxwubnxvbxkn.qwe3.wyearsale.net/21b37/jobs-acted/opinions-obtains-flied-belongs.php
>
> [03/Sep/2013:15:31:25 -0600]    404
> hxxp://domainseercher.pw/21b37/jobs-acted/opinions-obtains-flied-belongs.php?byVHMcyU=ctZxaastsBksZ&xFZSrsWAeoQp=pnImtrixlywjKp
>
> PCRE Testing:
>
> PCRE version 8.12 2011-01-15
>
>  re>
> /\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/
> data>
> http://wwmybx.zxc3.domaiunssslceretif.org/af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
> 0: /af1049/rarely-everywhere_pocket-implying/however-consist-checked.php
> data> ^C
>
> Cheers,
> Nathan Fowler
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!