Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27

["lists () packetmail net" <lists () packetmail net>]

This is a horrible way to match Upatre not to mention Upatre changes User-Agents
often, here:

https?:\/\/[^\x3f]+\x2dSP[0-9]*\/[0-9]\/$       Nathan Fowler, Dec 12 2014, ET TROJAN
Upatre Common URI Struct Dec 01 2014 thanks REDACTED.

Cheers,
Nathan

On 01/28/2015 05:16 PM, Mike Hale wrote:
> For what it's worth, I'm also seeing a lot of non-malicious traffic to
> parallels (I believe it's a license check) and google analytics.  Do
> you guys need some pcaps for those?
>
> On Wed, Jan 28, 2015 at 1:39 PM, Joel Esler (jesler) <jesler () cisco com> wrote:
> > We've edited the rule and it will ship in the next rule release.
> >
> > --
> > Joel Esler
> > Sent from my iPhone
> >
> > On Jan 28, 2015, at 1:35 PM, Jamie Riden <jamie.riden () gmail com> wrote:
> >
> > Just as a data point, this is what my Amazon Cloud Player thing says -
> > it shouldn't have matched the posted rule.And it goes over TLS1.2 if I
> > don't force it to proxy.
> >
> > POST /dmls/getStreamingURLs HTTP/1.1
> > Host: www.amazon.co.uk
> > Connection: keep-alive
> > Content-Length: 654
> > Accept: application/json, text/javascript, */*; q=0.01
> > Content-Encoding: amz-1.0
> > Content-Type: application/json; charset=UTF-8
> > Origin: https://www.amazon.co.uk
> > User-Agent: Mozilla/5.0 (Windows 7) AppleWebKit/537.4 (KHTML, like
> > Gecko) Morpho/3.7.1.698 Safari/537.4
> > X-Amz-Target:
> > com.amazon.digitalmusiclocator.DigitalMusicLocatorServiceExternal.getStreamingURLs
> > <snip>
> >
> > On 28 January 2015 at 20:09, Jeff Stebelton <sysprobe9127 () gmail com> wrote:
> >
> > Just an update, all Windows boxes we've seen trigger this were connecting to
> >
> > det-ta-g7g.amazon.com and have Amazon Cloud Player installed. There was also
> >
> > an unknown Mac; we assume it had Cloud Player installed as well.
> >
> >
> > On Wed, Jan 28, 2015 at 1:41 PM, Alex McDonnell <amcdonnell () sourcefire com>
> >
> > wrote:
> >
> >
> > Hi Ben,
> >
> >
> > This UA string is not one that "should" be found, errors like this will
> >
> > happen, User Agents are pretty much user defined, and despite checking
> >
> > against known UA strings on resources like useragentstring.com and
> >
> > www.user-agents.org/ or running against our non trivial amount of pcaps FPs
> >
> > can crop up.
> >
> >
> > A PCAP of the FP can help us identify why this shortened UA string was
> >
> > used and how to avoid it, both now and in future FP testing.
> >
> >
> > Thanks
> >
> > Alex McDonnell
> >
> > TALOS
> >
> >
> > On Wed, Jan 28, 2015 at 1:32 PM, Benjamin Small
> >
> > <benjamin.small83 () gmail com> wrote:
> >
> >
> > I get that PCAPs are useful, but this sig has been stripped down to just
> >
> > a UA. It's not like the UA is a distinct string, it's a substring of one of
> >
> > the most popular UAs you'll see. If this were crafted as a low priority
> >
> > "suspicious" rule would be *almost* ok, but as a drop rule? I would hope
> >
> > that your signature review process would have caught something like this.
> >
> >
> > -Ben
> >
> >
> > On Wed, Jan 28, 2015 at 6:33 AM, Joel Esler (jesler) <jesler () cisco com>
> >
> > wrote:
> >
> >
> > Yeah. Pcaps would help. I think we can isolate the false positives, just
> >
> > want some examples to check against.
> >
> >
> > --
> >
> > Joel Esler
> >
> > Sent from my iPhone
> >
> >
> > On Jan 28, 2015, at 9:29 AM, Jeff Stebelton <sysprobe9127 () gmail com>
> >
> > wrote:
> >
> >
> > Seeing some false positives here. Latest ones appear to be an Amazon app
> >
> > using the Mozilla/5.0 User Agent..
> >
> >
> > On Wed, Jan 28, 2015 at 9:03 AM, Rodgers, Anthony (DTMB)
> >
> > <RodgersA1 () michigan gov> wrote:
> >
> >
> > It looks like the 'content:"/2507US-1/"; ' match has been removed from
> >
> > 1:31557 in rev 3, which is causing a lot of apparent FPs on our network.
> >
> > Anyone else seeing this?
> >
> >
> > Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> >
> > (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 -
> >
> > Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/";
> >
> > http_uri; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20;
> >
> > nocase; http_header; metadata:policy balanced-ips drop, policy security-ips
> >
> > drop, service http;
> >
> > reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
> >
> > classtype:trojan-activity; sid:31557; rev:2; )
> >
> >
> > Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> >
> > (msg:"BLACKLIST USER-AGENT known malicious user-agent string - Mozilla/5.0 -
> >
> > Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A|
> >
> > Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header;
> >
> > metadata:impact_flag red, policy balanced-ips drop, policy security-ips
> >
> > drop, service http;
> >
> > reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/;
> >
> > classtype:trojan-activity; sid:31557; rev:3; )
> >
> >
> > Anthony Rodgers
> >
> > Security Analyst
> >
> > Michigan Security Operations Center (MiSOC)
> >
> >
> > -----Original Message-----
> >
> > From: Research [mailto:research () sourcefire com]
> >
> > Sent: Tuesday, January 27, 2015 12:42
> >
> > To: snort-sigs () lists sourceforge net
> >
> > Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
> >
> > 2015-01-27
> Hash: SHA1
>
>
>
> Sourcefire VRT Certified Snort Rules Update
>
>
> Synopsis:
>
> This release adds and modifies rules in several categories.
>
>
> Details:
>
> The VRT has added and modified multiple rules in the blacklist,
>
> browser-ie, file-flash, file-multimedia, file-pdf, indicator-compromise,
>
> malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule
>
> sets to provide coverage for emerging threats from these technologies.
>
>
> For a complete list of new and modified rules please see:
>
>
> https://www.snort.org/advisories
>
> > ------------------------------------------------------------------------------
> >
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> >
> > sponsored by Intel and developed in partnership with Slashdot Media, is your
> >
> > hub for all things parallel software development, from weekly thought
> >
> > leadership blogs to news, videos, case studies, tutorials and more. Take a
> >
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> > _______________________________________________
> >
> > Snort-sigs mailing list
> >
> > Snort-sigs () lists sourceforge net
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> >
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> >
> > your
> >
> > hub for all things parallel software development, from weekly thought
> >
> > leadership blogs to news, videos, case studies, tutorials and more.
> >
> > Take a
> >
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> > _______________________________________________
> >
> > Snort-sigs mailing list
> >
> > Snort-sigs () lists sourceforge net
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> >
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> >
> > your
> >
> > hub for all things parallel software development, from weekly thought
> >
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> >
> > a
> >
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> >
> > _______________________________________________
> >
> > Snort-sigs mailing list
> >
> > Snort-sigs () lists sourceforge net
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> >
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> >
> > your
> >
> > hub for all things parallel software development, from weekly thought
> >
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> >
> > a
> >
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> > _______________________________________________
> >
> > Snort-sigs mailing list
> >
> > Snort-sigs () lists sourceforge net
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> >
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> >
> > your
> >
> > hub for all things parallel software development, from weekly thought
> >
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> >
> > a
> >
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> > _______________________________________________
> >
> > Snort-sigs mailing list
> >
> > Snort-sigs () lists sourceforge net
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> >
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> >
> > your
> >
> > hub for all things parallel software development, from weekly thought
> >
> > leadership blogs to news, videos, case studies, tutorials and more. Take a
> >
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> > _______________________________________________
> >
> > Snort-sigs mailing list
> >
> > Snort-sigs () lists sourceforge net
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> >
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> >
> > sponsored by Intel and developed in partnership with Slashdot Media, is your
> >
> > hub for all things parallel software development, from weekly thought
> >
> > leadership blogs to news, videos, case studies, tutorials and more. Take a
> >
> > look and join the conversation now. http://goparallel.sourceforge.net/
> >
> > _______________________________________________
> >
> > Snort-sigs mailing list
> >
> > Snort-sigs () lists sourceforge net
> >
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> > http://www.snort.org
> >
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> >
> >
> > --
> > Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
> > http://uk.linkedin.com/in/jamieriden
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!