Snort mailing list archives
Re: Assist with FrameworkPOS sig
From: rmkml <rmkml () yahoo fr>
Date: Wed, 15 Oct 2014 21:28:20 +0200 (CEST)
Thx James for sharing, Could you check this revision please ? (not tested) alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon; fast_pattern:only; pcre:"/\x08[a-f0-9]{8}\x06beacon[\x18-\x60][a-f0-9]{24,96}[\x18-\x60][a-f0-9]{24,96}[\x03-\x60]\w{3,96}[\x02-\x06]\w{2,6}\x00/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/; classtype:trojan-activity; sid:10000137; rev:2;) c5008015 -> \x08[a-f0-9]{8} .beacon -> \x06beacon .c3cbc0dcc3c4cadcc4cbdcc4cb -> [\x18-\x60][a-f0-9]{24,96} .a2b3a7bedfb3b0b1c3c0c1c6 -> [\x18-\x60][a-f0-9]{24,96} .domain -> [\x03-\x60]\w{3,96} .com [\x02-\x06]\w{2,6}\x00 Comments is welcome ;) Regards @Rmkml On Wed, 15 Oct 2014, James Lay wrote:
Hey all, I'm attempting to get something going for the below: https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html In a nutshell I'm trying to create a couple sigs to match: Id.beacon.encoded_data1.encoded_data2.domain.com This request is the heartbeat. The ID is a random ID generated during the first execution of the malware. Encoded_data1 is the IP address of the infected machine and encoded_data2 is the host name of the machine. Id.alert.encoded_data3.domain.com The ID is the same random ID as used in the example above and encoded_data3 is a process name. The attackers receive the process name each time a credit card number is found in the memory. An example DNS request: c5008015.beacon.c3cbc0dcc3c4cadcc4cbdcc4cb.a2b3a7bedfb3b0b1c3c0c1c6.domain.com alert udp $HOME_NET any -> any 53 (msg:"MALWARE-CNC FrameworkPOS beacon"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|beacon|1A|; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html/; classtype:trojan-activity; sid:10000137; rev:1;) What I don't have intel on is if the values before and after beacon and alert change length. Is pcre a good fit for this? Or something else? Thanks for looking all. James
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Assist with FrameworkPOS sig James Lay (Oct 15)
- Re: Assist with FrameworkPOS sig rmkml (Oct 15)
- Re: Assist with FrameworkPOS sig rmkml (Oct 15)
- Re: Assist with FrameworkPOS sig James Lay (Oct 15)
- Re: Assist with FrameworkPOS sig rmkml (Oct 15)
- Re: Assist with FrameworkPOS sig rmkml (Oct 15)