Snort mailing list archives
Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27
From: Joel Esler <jesler () cisco com>
Date: Wed, 28 Jan 2015 13:44:14 -0500
On Wed, Jan 28, 2015 at 10:32:43AM -0800, Benjamin Small wrote:
I get that PCAPs are useful, but this sig has been stripped down to just a
UA. It's not like the UA is a distinct string, it's a substring of one of
the most popular UAs you'll see. If this were crafted as a low priority
"suspicious" rule would be *almost* ok, but as a drop rule? I would hope
that your signature review process would have caught something like this.
-Ben
Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string -
Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established;
content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20;
nocase; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, service http;
reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
classtype:trojan-activity; sid:31557; rev:3; )
We aren't looking for a "subset" of a string though, we are looking for a distinct string, we are looking for a string where the entire User-Agent is "Mozilla/5.0" which is not a legitimate browser User-Agent. It may be used by legit applications in an incorrect way, but it's not a legitimate browser User-Agent. We're currently evaluating the rule. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2015-01-27 Research (Jan 27)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Rodgers, Anthony (DTMB) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Dalton, Gerry (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Rodgers, Anthony (DTMB) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Alex McDonnell (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jamie Riden (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Mike Hale (Jan 28)