Snort mailing list archives

Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 28 Jan 2015 21:06:18 +0000

Thanks Gerry.

--
Joel Esler
Sent from my iPhone

On Jan 28, 2015, at 2:04 PM, Dalton, Gerry <Gerry.Dalton () parsons com<mailto:Gerry.Dalton () parsons com>> wrote:

Funny you mentioned this.....our SourceFire alerts were going crazy with this one.  We have a Application Jukebox which 
goes out to a license server that is triggering this alert.  I will post PCAPS to SourceFire customer site.



Gerry Dalton
Cyber Security Specialist ♦ Cybersecurity Infrastructure

1301 W. Pres. George Bush Hwy, Suite 350 ♦ Richardson, TX 75080-1140
Phone – 972.244.6153 ♦ Mobile – 972.207.6124
gerry.dalton () parsons com<mailto:gerry.dalton () parsons com> ♦ www.parsons.com<http://www.parsons.com>

-----Original Message-----
From: Joel Esler [mailto:jesler () cisco com]
Sent: Wednesday, January 28, 2015 12:44 PM
To: Benjamin Small
Cc: Rodgers, Anthony (DTMB); snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>
Subject: Re: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2015-01-27

On Wed, Jan 28, 2015 at 10:32:43AM -0800, Benjamin Small wrote:
 I get that PCAPs are useful, but this sig has been stripped down to just a
 UA. It's not like the UA is a distinct string, it's a substring of one of
 the most popular UAs you'll see. If this were crafted as a low priority
 "suspicious" rule would be *almost* ok, but as a drop rule? I would hope
 that your signature review process would have caught something like this.
 -Ben

       Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
       (msg:"BLACKLIST USER-AGENT known malicious user-agent string -
       Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established;
       content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20;
       nocase; http_header; metadata:impact_flag red, policy balanced-ips
       drop, policy security-ips drop, service http;
       
reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/<http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>;
       classtype:trojan-activity; sid:31557; rev:3; )


We aren't looking for a "subset" of a string though, we are looking for a distinct string,  we are looking for a string 
where the entire User-Agent is "Mozilla/5.0"  which is not a legitimate browser User-Agent.  It may be used by legit 
applications in an incorrect way, but it's not a legitimate browser User-Agent.

We're currently evaluating the rule.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership 
with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to 
news, videos, case studies, tutorials and more. Take a look and join the conversation now. 
http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Sourcefire VRT Certified Snort Rules Update 2015-01-27 Research (Jan 27)
- Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Rodgers, Anthony (DTMB) (Jan 28)
  - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
  - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Dalton, Gerry (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Benjamin Small (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Alex McDonnell (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jeff Stebelton (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Jamie Riden (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Mike Hale (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 Joel Esler (jesler) (Jan 28)
    - Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27 lists () packetmail net (Jan 28)

(Thread continues...)