[Emerging-Sigs] Hupigon sigs

Darren Spruell phatbuckett at gmail.com
Thu Jan 15 19:56:52 EST 2009


On Thu, Jan 15, 2009 at 4:50 PM, Frank Knobbe <frank at knobbe.us> wrote:
> On Thu, 2009-01-15 at 14:35 -0700, Darren Spruell wrote:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
>> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
>> content:"|00 00 00 83|"; depth:4; content:"<CPU>"; content:"</CPU><";
>> distance:0; content:"<MEM>"; content:"</MEM><"; distance:0;
>
>> ...although I have to wonder if the match would work correctly:
>> wouldn't the 'content:"<CPU>"; content:"</CPU><"; distance:0;' matches
>> only hit on '<CPU></CPU><' due to the distance:0? (i.e. empty tag
>> value?)
>
> Yeah, I think there is a "within" missing that gives enough room for
> actual data between <CPU> and </CPU> :)
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
>> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
>> content:"|00 00 00|"; depth:3; content:"<CPU>"; content:"</CPU><";
>> content:"<MEM>"; content:"</MEM><";
>> pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/";
>> classtype:trojan-activity;
>> reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497;
>> sid:2007918; rev:2;)
>
>
> I'd rather use:
> content:"<CPU>"; content:"</CPU><"; distance:0; within:27;
> content:"<MEM>"; content:"</MEM><"; distance:0; within:27;
>
> (20 chars for MEM and CPU values)
>
> Thoughts?

Yep. I was hoping someone would chime in with something to tighten
them down a bit more. :)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list