Snort mailing list archives

Re: APT28 Snort Signatures

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 28 Oct 2014 20:19:20 +0000

Thanks Tony, we’ll get these into the system

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

On Oct 28, 2014, at 12:46 PM, Tony Robinson <deusexmachina667 () gmail com> wrote:

Howdy Howdy. I'm sure many of you are aware of the recent news with APT28. If not, have a look:
http://www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf>
https://github.com/fireeye/iocs/tree/master/APT28 <https://github.com/fireeye/iocs/tree/master/APT28>

I have developed and tested signatures based off the PDF report and the IOCs provided by Fire Eye. Here is what I 
have:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CORESHELL POST request"; 
flow:to_server,established; content:"POST"; nocase; http_method; content:"/check/"; http_uri; content:"User-Agent|3A| 
MSIE 8.0"; http_header; fast_pattern:only; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf 
<http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:security-ips drop, service http; sid:1000000; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v1 POST request"; 
flow:to_server,established; content:"POST"; nocase; http_method; content:"/webhp?rel="; nocase; http_uri; 
content:"hl="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| 
Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; 
reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v2 POST request"; 
flow:to_server,established; content:"POST"; nocase; http_method; content:"/search?btnG="; nocase; http_uri; 
content:"utm="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| 
Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; 
reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OLDBAIT POST request"; 
flow:to_server,established; content:"POST"; nocase; http_method; content:"/index.php"; fast_pattern:only; http_uri; 
content:"prefs="; nocase; http_client_body; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf 
<http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, service http; sid:1000003; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS kavkazcentr.info <http://kavkazcentr.info/>"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000004; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS rnil.am <http://rnil.am/>"; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips 
drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000005; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS standartnevvs.com <http://standartnevvs.com/>"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|standartnevvs|03|com"; fast_pattern:only; metadata:impact_flag 
red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000006; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS novinitie.com <http://novinitie.com/>"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|novinitie|03|com"; fast_pattern:only; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000007; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS n0vinite.com <http://n0vinite.com/>"; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000008; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS qov.hu.com <http://qov.hu.com/>"; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com"; fast_pattern:only; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000009; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS mail.g0v.pl <http://mail.g0v.pl/>"; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000010; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS baltichost.org <http://baltichost.org/>"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org"; fast_pattern:only; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000011; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS nato.nshq.in <http://nato.nshq.in/>"; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in"; fast_pattern:only; metadata:impact_flag red, policy 
balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000012; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS natoexhibitionff14.com 
<http://natoexhibitionff14.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|03|com"; 
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000013; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS login-osce.org <http://login-osce.org/>"; 
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org"; fast_pattern:only; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000014; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS smigroup-online.co.uk 
<http://smigroup-online.co.uk/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|smigroup-online|02|co|02|uk"; 
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; 
reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000015; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS q0v.pl <http://q0v.pl/>"; flow:to_server; 
byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips 
drop, policy security-ips drop, service dns; 
reference:urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc 
<http://urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000016; rev:1;)

Questions? Concerns? Improvements? Feel free to contact me on-list (for everyone's benefits) or modify as you see 
fit. Also included as an attachment for your convenience.

-- 
when does reality end? when does fantasy begin?
<apt28.rules>------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

APT28 Snort Signatures Tony Robinson (Oct 28)
- Re: APT28 Snort Signatures Joel Esler (jesler) (Oct 28)