Snort mailing list archives
Re: APT28 Snort Signatures
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 28 Oct 2014 20:19:20 +0000
Thanks Tony, we’ll get these into the system -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
On Oct 28, 2014, at 12:46 PM, Tony Robinson <deusexmachina667 () gmail com> wrote: Howdy Howdy. I'm sure many of you are aware of the recent news with APT28. If not, have a look: http://www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> https://github.com/fireeye/iocs/tree/master/APT28 <https://github.com/fireeye/iocs/tree/master/APT28> I have developed and tested signatures based off the PDF report and the IOCs provided by Fire Eye. Here is what I have: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CORESHELL POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/check/"; http_uri; content:"User-Agent|3A| MSIE 8.0"; http_header; fast_pattern:only; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:security-ips drop, service http; sid:1000000; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v1 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/webhp?rel="; nocase; http_uri; content:"hl="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000001; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC CHOPSTICK v2 POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/search?btnG="; nocase; http_uri; content:"utm="; nocase; http_uri; distance:0; content:"ai="; nocase; http_uri; distance:0; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.|3B| WOW64|3B| rv|3A|20.0) Gecko/20100101 Firefox/20.0"; fast_pattern:only; http_header; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000002; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OLDBAIT POST request"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/index.php"; fast_pattern:only; http_uri; content:"prefs="; nocase; http_client_body; reference:url,www.fireeye.com/resources/pdfs/apt28.pdf <http://www.fireeye.com/resources/pdfs/apt28.pdf> metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; sid:1000003; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS kavkazcentr.info <http://kavkazcentr.info/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000004; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS rnil.am <http://rnil.am/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000005; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS standartnevvs.com <http://standartnevvs.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|standartnevvs|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000006; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS novinitie.com <http://novinitie.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|novinitie|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000007; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS n0vinite.com <http://n0vinite.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000008; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS qov.hu.com <http://qov.hu.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000009; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS mail.g0v.pl <http://mail.g0v.pl/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000010; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS baltichost.org <http://baltichost.org/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000011; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS nato.nshq.in <http://nato.nshq.in/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000012; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS natoexhibitionff14.com <http://natoexhibitionff14.com/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000013; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS login-osce.org <http://login-osce.org/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000014; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS smigroup-online.co.uk <http://smigroup-online.co.uk/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|smigroup-online|02|co|02|uk"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000015; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS q0v.pl <http://q0v.pl/>"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc <http://urlgithub.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc>; sid:1000016; rev:1;) Questions? Concerns? Improvements? Feel free to contact me on-list (for everyone's benefits) or modify as you see fit. Also included as an attachment for your convenience. -- when does reality end? when does fantasy begin? <apt28.rules>------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- APT28 Snort Signatures Tony Robinson (Oct 28)
- Re: APT28 Snort Signatures Joel Esler (jesler) (Oct 28)