Snort mailing list archives

Multiple signatures 006

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 25 Jul 2018 13:39:38 +0000

Hi,

Pcaps are available for some of the signatures below.

# --------------------
# Date: 2018-07-24
# Title: User-Agents of IoT Scanners
# Reference: Research
# Tests: pcap
# Confidence: medium
# Notes: These are UAs seen in inbound IoT scanners. Howerver, we don't care for inbound traffic
#        since there are rules to detect the exploits, and they are noisy. Rather, we use the
#        UAs for outbound traffic from the "protected" IoT network, just in case.

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected 
- Gemini"; flow:to_server,established; content:"User-Agent: Gemini/"; fast_pattern:only; http_header; metadata:ruleset 
community, service http; classtype:attempted-admin; sid:8000202; rev:1;)

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected 
- Hakai"; flow:to_server,established; content:"User-Agent: Hakai/"; fast_pattern:only; http_header; metadata:ruleset 
community, service http; classtype:attempted-admin; sid:8000203; rev:1;)

alert tcp $HOME_NET any -> any 80 (msg:"INDICATOR-COMPROMISE known IoT scanner User-Agent outbound connection detected 
- Hello, World"; flow:to_server,established; content:"User-Agent: Hello, World"; fast_pattern:only; http_header; 
metadata:ruleset community, service http; classtype:attempted-admin; sid:8000204; rev:1;)

# --------------------
# Date: 2018-07-24
# Title: Osx.Backdoor.Calisto
# Tests: syntax only
# Reference:
#    - https://securelist.com/calisto-trojan-for-macos/86543/
# Confidence: low

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Backdoor.Calisto outbound connection"; 
flow:to_server,established; content:"/upload.php?username="; fast_pattern:only; http_uri; content:"/calisto/"; 
http_uri; metadata:ruleset community, service http; reference:url,securelist.com/calisto-trojan-for-macos/86543/; 
classtype:trojan-activity; sid:8000205; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Backdoor.Calisto outbound connection"; 
flow:to_server,established; content:"/listenyee.php"; fast_pattern:only; http_uri; content:"/calisto/"; http_uri; 
metadata:ruleset community, service http; reference:url,securelist.com/calisto-trojan-for-macos/86543/; 
classtype:trojan-activity; sid:8000206; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: AgentTesla SMTP Exfil.
# Reference:
#     - https://www.virustotal.com/#/file/030228c5caa62e7727e0a664ef18fdf5663e7edbc2d2f7e5c38bf06526a5023e/detection
#     - https://www.virustotal.com/#/file/0c5f9ab0d84eada4be9e6f86cf81a2b3dd0fbb708342eded078a152490ceb15e/detection
#     - https://www.virustotal.com/#/file/b9253b60188214a143b2b7d2b0a3b1adb1d0834b6fc231b9da7b61c9c3184e92/detection
# Tests: pcap
# Confidence: medium

alert tcp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"MALWARE-CNC Win.Trojan.AgentTesla outbound SMTP connection"; 
flow:to_server,established; content:"|0D 0A|Subject: admin/PC Passwords Recovered From: "; fast_pattern:only; metadata: 
ruleset community, service smtp; classtype:trojan-activity; sid:8000207; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: Win.Trojan.Betabot
# Reference:
#     - https://www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba05d754326c693941c46267506652ba0686/detection
# Tests: pcap

# Confidence: low
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betabot variant outbound connection"; 
flow:to_server,established; content:"/do/logout.php?id="; fast_pattern:only; http_uri; content:"Content-Type: 
application/x-www-form-urlencoded"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; 
metadata:ruleset community, service http; 
reference:url,www.virustotal.com/#/file/d9b4c76e8eda4842c0db5cedddcaba05d754326c693941c46267506652ba0686/detection; 
classtype:trojan-activity; sid:8000208; rev:1;)
# --------------------
# Date: 2018-07-25
# Title: Encoded binary downloads with suspicious HTTP Responses
# Reference: Research
# Tests: pcap
# Confidence: low
# Notes: Observed in Win.Worm.Urahu/Skillies traffic.

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE decimal encoded binary download attempt - 
Win.Worm.Urahu/Skillies"; flow:to_client,established; content:"Content-type: application/octet-stream|0D 
0A|Content-Disposition: attachment|0D 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"77 90"; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000209; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE base64 encoded binary download attempt - 
Win.Worm.Urahu/Skillies"; flow:to_client,established; content:"Content-type: application/octet-stream|0D 
0A|Content-Disposition: attachment|0D 0A|Connection: close|0D 0A|"; fast_pattern:only; file_data; content:"TVqQ"; 
metadata:ruleset community, service http; classtype:trojan-activity; sid:8000210; rev:1;)

# --------------------
# Date: 2018-07-25
# Title: Remote administration tools
# Reference: Research
# Tests: pcap
# Confidence: medium
# Notes: This is policy only since the tools may be legitimate but
#        also outside the scope of the allowed tools per policy. Detection
#        on the network maybe considered an indicator.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; 
flow:to_server,established; content:"<rman_message version="; fast_pattern:only; content:"<code>1</code>"; 
metadata:ruleset community; classtype:policy-violation; sid:8000211; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - RemoteUtilities"; 
flow:to_client,established; content:"<rman_message version="; fast_pattern:only; content:"<code>3</code>"; 
content:"</rman_message>"; distance:0; metadata:ruleset community; classtype:policy-violation; sid:8000212; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; 
flow:to_server,established; dsize:10; content:"|06 00 00 00 81 13 14 6E 5B 69|"; fast_pattern:only; metadata:ruleset 
community; classtype:policy-violation; sid:8000213; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY-OTHER Remote Administration Tool detected - Imminent"; 
flow:to_client,established; dsize:48; content:"|2C 00 00 00 02 00 00 00 01|"; fast_pattern:only; content:"$"; 
distance:2; metadata:ruleset community; classtype:policy-violation; sid:8000214; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 006 Y M via Snort-sigs (Jul 25)
- Re: Multiple signatures 006 Marcos Rodriguez (Jul 27)