[Emerging-Sigs] woops... parse pattern, gota lint those rules!

Michael Scheidell scheidell at secnap.net
Fri Jan 30 07:16:10 EST 2009


FATAL ERROR: rules/emerging-virus.rules(802) => ParsePattern Got Null 
enclosed in quotation marks (")
maybe we need an old snort 2.4 version around!  (that pesky : )  line 
806 also.

grep 'Content-Type:' *.rules

(need second \\ to escape the \ to insert the \)

sed -i '' -e '/^alert.*Gozi/s/Content-Type:/Content-Type\\:/' 
emerging*.rules


diff -bBru emerging-virus.rules emerging-virus.rules.orig
--- emerging-virus.rules.orig        Fri Jan 30 03:22:48 2009
+++ emerging-virus.rules   Fri Jan 30 07:07:39 2009
@@ -799,7 +799,7 @@
 
 #by Secureworks
 # Paper here: www.secureworks.com/research/threats/gozi/?threat=gozi
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
Gozi Certificate Information Leakage"; flow:to_server,established; 
content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; 
uricontent:"&version_id="; content:"|0d 0a|Content-Type: 
multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: 
Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 
0a|Host\: "; classtype:trojan-activity; 
reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; 
rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
Gozi Certificate Information Leakage"; flow:to_server,established; 
content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; 
uricontent:"&version_id="; content:"|0d 0a|Content-Type\: 
multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: 
Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 
0a|Host\: "; classtype:trojan-activity; 
reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; 
rev:3;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
Gozi Registration"; flow:to_server,established; content:"GET 
/cgi-bin/options.cgi"; depth:24; uricontent:"user_id="; 
uricontent:"&version_id="; content:"|0d 0a|User-Agent\: Mozilla/4.0 
(compatible\; MSIE 6.0\; Windows NT 5.1)"; classtype:trojan-activity; 
reference:url,www.secureworks.com/research/threats/gozi; sid:2003510; 
rev:3;)
 
 
 #by Secureworks
 # Paper here: www.secureworks.com/research/threats/gozi/?threat=gozi
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
Gozi Certificate Information Leakage"; flow:to_server,established; 
content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; 
uricontent:"&version_id="; content:"|0d 0a|Content-Type: 
multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: 
Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 
0a|Host\: "; classtype:trojan-activity; 
reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; 
rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
Gozi Certificate Information Leakage"; flow:to_server,established; 
content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id="; 
uricontent:"&version_id="; content:"|0d 0a|Content-Type\: 
multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\: 
Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 
0a|Host\: "; classtype:trojan-activity; 
reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; 
rev:3;)
 
 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
Gozi Registration"; flow:to_server,established; content:"GET 
/cgi-bin/options.cgi"; depth:24; uricontent:"user_id="; 
uricontent:"&version_id="; content:"|0d 0a|User-Agent\: Mozilla/4.0 
(compatible\; MSIE 6.0\; Windows NT 5.1)"; classtype:trojan-activity; 
reference:url,www.secureworks.com/research/threats/gozi; sid:2003510; 
rev:3;)
 


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * King of Spam Filters, SC Magazine 2008
    * Information Security Award 2008, Info Security Products Guide
    * CRN Magazine Top 40 Emerging Security Vendors
    * Finalist 2009 Network Products Guide Hot Companies


_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090130/b5a3fca6/attachment.html


More information about the Emerging-sigs mailing list