[Emerging-Sigs] Hupigon sigs

Darren Spruell phatbuckett at gmail.com
Sun Jan 25 17:41:40 EST 2009


On Sun, Jan 25, 2009 at 3:14 PM, Darren Spruell <phatbuckett at gmail.com> wrote:
> On Thu, Jan 15, 2009 at 4:50 PM, Frank Knobbe <frank at knobbe.us> wrote:
>> On Thu, 2009-01-15 at 14:35 -0700, Darren Spruell wrote:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
>>> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
>>> content:"|00 00 00 83|"; depth:4; content:"<CPU>"; content:"</CPU><";
>>> distance:0; content:"<MEM>"; content:"</MEM><"; distance:0;
>>
>>> ...although I have to wonder if the match would work correctly:
>>> wouldn't the 'content:"<CPU>"; content:"</CPU><"; distance:0;' matches
>>> only hit on '<CPU></CPU><' due to the distance:0? (i.e. empty tag
>>> value?)
>>
>> Yeah, I think there is a "within" missing that gives enough room for
>> actual data between <CPU> and </CPU> :)
>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
>>> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
>>> content:"|00 00 00|"; depth:3; content:"<CPU>"; content:"</CPU><";
>>> content:"<MEM>"; content:"</MEM><";
>>> pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/";
>>> classtype:trojan-activity;
>>> reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497;
>>> sid:2007918; rev:2;)
>>
>>
>> I'd rather use:
>> content:"<CPU>"; content:"</CPU><"; distance:0; within:27;
>> content:"<MEM>"; content:"</MEM><"; distance:0; within:27;
>>
>> (20 chars for MEM and CPU values)
>>
>> Thoughts?
>
> How do these work?
>
> Modified existing sig, also with Hupigon notation in name:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon
> Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
> content:"|00 00 00|"; depth:3; content:"<CPU>";
> content:"</CPU><"; distance:0; within:27; content:"<MEM>";
> content:"</MEM><"; distance:0; within:27;
> pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/";
> classtype:trojan-activity; reference:url
> ,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; sid:2007918; rev:2;)
>
> And for the "I" variant:

Bad regex on the last message; how about this:

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon
Dropper-497 (Yumato) System Stats Report (I-variant)";
flow:established,to_server; content:"|00 00 00|"; depth:3;
content:"<CPUI>"; content:"</CPUI><"; distance:0; within:7;
content:"<MEMI>"; content:"</MEMI><"; distance:0; within:7;
pcre:"/^\x00\x00\x00[\x72-\x74]/"; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497;
sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list