[Emerging-Sigs] Hupigon sigs

Darren Spruell phatbuckett at gmail.com
Sun Jan 25 17:14:55 EST 2009


On Thu, Jan 15, 2009 at 4:50 PM, Frank Knobbe <frank at knobbe.us> wrote:
> On Thu, 2009-01-15 at 14:35 -0700, Darren Spruell wrote:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
>> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
>> content:"|00 00 00 83|"; depth:4; content:"<CPU>"; content:"</CPU><";
>> distance:0; content:"<MEM>"; content:"</MEM><"; distance:0;
>
>> ...although I have to wonder if the match would work correctly:
>> wouldn't the 'content:"<CPU>"; content:"</CPU><"; distance:0;' matches
>> only hit on '<CPU></CPU><' due to the distance:0? (i.e. empty tag
>> value?)
>
> Yeah, I think there is a "within" missing that gives enough room for
> actual data between <CPU> and </CPU> :)
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
>> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
>> content:"|00 00 00|"; depth:3; content:"<CPU>"; content:"</CPU><";
>> content:"<MEM>"; content:"</MEM><";
>> pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/";
>> classtype:trojan-activity;
>> reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497;
>> sid:2007918; rev:2;)
>
>
> I'd rather use:
> content:"<CPU>"; content:"</CPU><"; distance:0; within:27;
> content:"<MEM>"; content:"</MEM><"; distance:0; within:27;
>
> (20 chars for MEM and CPU values)
>
> Thoughts?

How do these work?

Modified existing sig, also with Hupigon notation in name:

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon
Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
content:"|00 00 00|"; depth:3; content:"<CPU>";
content:"</CPU><"; distance:0; within:27; content:"<MEM>";
content:"</MEM><"; distance:0; within:27;
pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/";
classtype:trojan-activity; reference:url
,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007918; rev:2;)

And for the "I" variant:

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon
Dropper-497 (Yumato) System Stats Report (I-variant)";
flow:established,to_server; content:"|00 00 00|"; depth:3; conte
nt:"<CPUI>"; content:"</CPUI><"; distance:0; within:7;
content:"<MEMI>"; content:"</MEMI><"; distance:0; within:7;
pcre:"/^\x00\x00\x00[\x72-\x74/"; classtype:trojan-activity;
reference:url,
doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list