Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27

From: Benjamin Small <benjamin.small83 () gmail com>
Date: Wed, 28 Jan 2015 10:54:36 -0800
I'm saying your exact match is a substring of a popular user agent, not
that it would match legit user agents. If the match was "UserAgent:
PwnYerBox", then I would totally understand. In that case, as I review the
signature definition I'm about to apply to all my clients as a high
priority drop rule, I'm going to feel comfortable.

In the case that the UserAgent is "Mozilla/5.0", in a world where it takes
one line of python/perl/ruby to send a legit web request, I might be a bit
more careful. If your reviewers see that and think "Yea, that's not going
to be false positive"... then I'm not sure what to say...

Now that that's said, back to cleaning the thousands of false positives out
of my SIEM.

-Ben


On Wed, Jan 28, 2015 at 10:45 AM, Jeff Stebelton <sysprobe9127 () gmail com>
wrote:


I believe it won't fire as a subset of a longer UA, as the content match
ends with a CR/LF.

content:"User-Agent|3A| Mozilla/5.0|0D 0A|"

That said, we're still seeing Amazon related false positives. Need to
check the new machines and see if they have Cloud Player installed; the
original did.

On Wed, Jan 28, 2015 at 1:32 PM, Benjamin Small <
benjamin.small83 () gmail com> wrote:


I get that PCAPs are useful, but this sig has been stripped down to just
a UA. It's not like the UA is a distinct string, it's a substring of one of
the most popular UAs you'll see. If this were crafted as a low priority
"suspicious" rule would be *almost* ok, but as a drop rule? I would hope
that your signature review process would have caught something like this.

-Ben

On Wed, Jan 28, 2015 at 6:33 AM, Joel Esler (jesler) <jesler () cisco com>
wrote:


 Yeah. Pcaps would help. I think we can isolate the false positives,
just want some examples to check against.

--
*Joel Esler*
Sent from my iPhone

On Jan 28, 2015, at 9:29 AM, Jeff Stebelton <sysprobe9127 () gmail com>
wrote:

  Seeing some false positives here. Latest ones appear to be an Amazon
app using the Mozilla/5.0 User Agent..

On Wed, Jan 28, 2015 at 9:03 AM, Rodgers, Anthony (DTMB) <
RodgersA1 () michigan gov> wrote:


It looks like the 'content:"/2507US-1/"; ' match has been removed from
1:31557 in rev 3, which is causing a lot of apparent FPs on our network.
Anyone else seeing this?

Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0
- Win.Backdoor.Andromeda"; flow:to_server,established;
content:"/2507US-1/"; http_uri; content:"User-Agent|3A| Mozilla/5.0|0D
0A|"; fast_pattern:5,20; nocase; http_header; metadata:policy balanced-ips
drop, policy security-ips drop, service http; reference:url,
www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
classtype:trojan-activity; sid:31557; rev:2; )

Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0
- Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A|
Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service http; reference:url,
www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
classtype:trojan-activity; sid:31557; rev:3; )

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

-----Original Message-----
From: Research [mailto:research () sourcefire com]
Sent: Tuesday, January 27, 2015 12:42
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
2015-01-27

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
The VRT has added and modified multiple rules in the blacklist,
browser-ie, file-flash, file-multimedia, file-pdf, indicator-compromise,
malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFUx80xQLjqI2QiHVMRAvgyAJ4i4BtN6tT8rbRFuADxU9Q5XFkt2QCfWyFr
92zwsadqdriaRWRP5EFdlFc=
=Q9n5
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more.
Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take
a
look and join the conversation now. http://goparallel.sourceforge.net/

 _______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take
a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!







------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: