[Emerging-Sigs] gicia.info

Matt Jonkman jonkman at jonkmans.com
Tue Jul 8 14:59:11 EDT 2008 

Oh, forgot we can hit id= as well.

Philipp Bescht wrote:
> hi,
> 
> gicia.info is a c&c related to the injecteted domain google-stat.net
> as mentioned in the recent ISC SANS diary ('Bad url classification'). I
> came across this one a few months ago already and noticed the
> uri parameters did not change. The requests look like this:
> 
> GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz1
> GET /cd/un2.php?id=1C8E0A5E3A08956&ver=nz0
> GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz0
> GET /cd/cd.php?id=1-1C8E0A5E592D4D0&ver=nz1
> GET /cd/un.php?id=1C8E0A5E3A08956&ver=ig0
> 
> Now I propose the following 3 signatures:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"gicia.info
> trojan activity"; flow:established,to_server;
> uricontent:"/cd/cd.php?id="; nocase; uricontent:"&ver=nz"; nocase;
> classtype:trojan-activity; sid:2009957; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"gicia.info
> trojan activity 2"; flow:established,to_server;
> uricontent:"/cd/un2.php?id="; nocase; uricontent:"&ver=nz"; nocase;
> classtype:trojan-activity; sid:2009958; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"gicia.info
> trojan activity 3"; flow:established,to_server;
> uricontent:"/cd/un.php?id="; nocase; uricontent:"&ver=ig"; nocase;
> classtype:trojan-activity; sid:2009959; rev:1;)
> 
> My question is: Is it better (in terms of performance) to sum those
> up in one single signature using pcre, or is there anything else to
> optimize (perhaps even using just the first signature and skipping the
> others)?
> 
> Thanks in advance and best regards,
> Philipp
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list