Snort mailing list archives
FP on 1:44221:1
From: Noah Dunker via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 9 Oct 2017 12:26:57 -0500
We had this rule hit a false positive over the weekend. GET /images/Arrival.jpg HTTP/1.1 Host: oldbluejacket.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://oldbluejacket.com/bootcamp.htm One of our analysts dug into some of the samples available via VirusTotal (including the one in the reference URL) and added this tweak via Oinkmaster: modifysid 44221 "http_uri;" | "http_uri; content:\"|50 4B|\"; content:\"exe\"; content:\"html\";" The resulting signature seems to fire on verified malicious samples. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.SyncCrypt variant initial outbound connection"; flow:to_server,established; urilen:19; content:"/images/arrival.jpg"; fast_pattern:only; http_uri; content:"|50 4B|"; content:"exe"; content:"html"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url, virustotal.com/#/file/3049a568c1c1cd4d225f8f333bf05e4560c8f9de5f167201253fedf35142fe3e/detection; classtype:trojan-activity; sid:44221; rev:2;) Cheers. <https://riskanalytics.com/> *Noah Dunker*VP of Engineering Office / 913.685.6517 PGP / 4886 929b ba09 09be <http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4886929BBA0909BE> ndunker () riskanalytics com
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- FP on 1:44221:1 Noah Dunker via Snort-sigs (Oct 09)