Re: Win.Trojan.Nocturnal

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Thanks, John. This sounds a lot better, and good learning.

YM

________________________________
From: John Levy <johlevy () sourcefire com>
Sent: Tuesday, June 12, 2018 6:36 PM
To: Y M
Cc: snort-sigs
Subject: Re: [Snort-sigs] Win.Trojan.Nocturnal

Hi Yaser,

We reviewed your submissions for this one and decided to tweak the first rule just a little bit and add it to the 
community ruleset (sid 46895). Specifically, we first removed the check for the http_method. Second, we shortened each 
content-match to include just the parameter key and value, and we also shortened the total number of content matches. 
Lastly, we added a check for the specific URI used for our fast pattern. Thanks again for your contribution!

Regards,

John Levy
Cisco Talos

On Jun 4, 2018, at 1:24 PM, Y M via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> 
wrote:

Hi,

Unfortunately, I don't have pcaps for these.

# --------------------
# Date: 2018-06-01
# Title: Thief in the night: New Nocturnal Stealer grabs data on the cheap
# Tests: syntax only
# Reference: https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap, 
https://www.virustotal.com/#/file/ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e/detection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition: form-data|3B| 
name=|22|hwid|22|"; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|os|22|"; 
http_client_body; content:"Content-Disposition: form-data|3B| name=|22|platform|22|"; http_client_body; 
content:"Content-Disposition: form-data|3B| name=|22|profile|22|"; http_client_body; content:"Content-Disposition: 
form-data|3B| name=|22|user|22|"; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|pcount|22|"; 
http_client_body; content:"Content-Disposition: form-data|3B| name=|22|cccount|22|"; http_client_body; metadata:ruleset 
community, service http; 
reference:url,www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap<http://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap>;
 classtype:trojan-activity; sid:8000096; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC known malicious user-agent - 
Win.Trojan.Nocturnal"; flow:to_server,established; content:"User-Agent: Nocturnal/"; fast_pattern:only; http_header; 
metadata:ruleset community, service http; 
reference:url,www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap<http://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap>;
 classtype:trojan-activity; sid:8000097; rev:1;)

Thanks.
YM
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org<http://snort.org/> to subscribe to the official Snort ruleset, make sure to stay up to date to 
catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!