Snort mailing list archives
Multiple signatures 006
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 25 Jul 2018 13:39:38 +0000
Hi, Pcaps are available for some of the signatures below. # -------------------- # Date: 2018-07-24 # Title: User-Agents of IoT Scanners # Reference: Research # Tests: pcap # Confidence: medium # Notes: These are UAs seen in inbound IoT scanners. Howerver, we don't care for inbound traffic # since there are rules to detect the exploits, and they are noisy. Rather, we use the # UAs for outbound traffic from the "protected" IoT network, just in case. alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected - Gemini"; flow:to_server,established; content:"User-Agent: Gemini/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000202; rev:1;) alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected - Hakai"; flow:to_server,established; content:"User-Agent: Hakai/"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000203; rev:1;) alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected - Hello, World"; flow:to_server,established; content:"User-Agent: Hello, World"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000204; rev:1;) # -------------------- # Date: 2018-07-24 # Title: Osx.Backdoor.Calisto # Tests: syntax only # Reference: # - https://securelist.com/calisto-trojan-for-macos/86543/ # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Backdoor.Calisto outbound connection"; flow:to_server,established; content:"/upload.php?username="; fast_pattern:only; http_uri; content:"/calisto/"; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/calisto-trojan-for-macos/86543/; classtype:trojan-activity; sid:8000205; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Backdoor.Calisto outbound connection"; flow:to_server,established; content:"/listenyee.php"; fast_pattern:only; http_uri; content:"/calisto/"; http_uri; metadata:ruleset community, service http; reference:url,securelist.com/calisto-trojan-for-macos/86543/; classtype:trojan-activity; sid:8000206; rev:1;) # -------------------- # Date: 2018-07-25 # Title: AgentTesla SMTP Exfil. # Reference: # - https://www.virustotal.com/#/file/030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e/detection # - https://www.virustotal.com/#/file/0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e/detection # - https://www.virustotal.com/#/file/b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92/detection # Tests: pcap # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.AgentTesla outbound SMTP connection"; flow:to_server,established; content:"|0D 0A|Subject: admin/PC Passwords Recovered From: "; fast_pattern:only; metadata: ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:1;) # -------------------- # Date: 2018-07-25 # Title: Win.Trojan.Betabot # Reference: # - https://www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba05d754326c693941c46267506652ba0686/detection # Tests: pcap # Confidence: low alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betabot variant outbound connection"; flow:to_server,established; content:"/do/logout.php?id="; fast_pattern:only; http_uri; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba05d754326c693941c46267506652ba0686/detection; classtype:trojan-activity; sid:8000208; rev:1;) # -------------------- # Date: 2018-07-25 # Title: Encoded binary downloads with suspicious HTTP Responses # Reference: Research # Tests: pcap # Confidence: low # Notes: Observed in Win.Worm.Urahu/Skillies traffic. alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE decimal encoded binary download attempt - Win.Worm.Urahu/Skillies"; flow:to_client,established; content:"Content-type: application/octet-stream|0D 0A|Content-Disposition: attachment|0D 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"77 90"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000209; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE base64 encoded binary download attempt - Win.Worm.Urahu/Skillies"; flow:to_client,established; content:"Content-type: application/octet-stream|0D 0A|Content-Disposition: attachment|0D 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"TVqQ"; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000210; rev:1;) # -------------------- # Date: 2018-07-25 # Title: Remote administration tools # Reference: Research # Tests: pcap # Confidence: medium # Notes: This is policy only since the tools may be legitimate but # also outside the scope of the allowed tools per policy. Detection # on the network maybe considered an indicator. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_server,established; content:"<rman_message version="; fast_pattern:only; content:"<code>1</code>"; metadata:ruleset community; classtype:policy-violation; sid:8000211; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; flow:to_client,established; content:"<rman_message version="; fast_pattern:only; content:"<code>3</code>"; content:"</rman_message>"; distance:0; metadata:ruleset community; classtype:policy-violation; sid:8000212; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:8000213; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000214; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 006 Y M via Snort-sigs (Jul 25)
- Re: Multiple signatures 006 Marcos Rodriguez (Jul 27)