[Emerging-Sigs] woops... parse pattern, gota lint those rules!

Matt Jonkman jonkman at jonkmans.com
Fri Jan 30 13:36:06 EST 2009


Rev 4 in CVS is escaped correctly. Can you update and retest for me?

Thanks Michael!

Matt

Michael Scheidell wrote:
> FATAL ERROR: rules/emerging-virus.rules(802) => ParsePattern Got Null
> enclosed in quotation marks (")
> maybe we need an old snort 2.4 version around!  (that pesky : )  line
> 806 also.
> 
> grep 'Content-Type:' *.rules
> 
> (need second \\ to escape the \ to insert the \)
> 
> sed -i '' -e '/^alert.*Gozi/s/Content-Type:/Content-Type\\:/'
> emerging*.rules
> 
> 
> diff -bBru emerging-virus.rules emerging-virus.rules.orig
> --- emerging-virus.rules.orig        Fri Jan 30 03:22:48 2009
> +++ emerging-virus.rules   Fri Jan 30 07:07:39 2009
> @@ -799,7 +799,7 @@
>  
>  #by Secureworks
>  # Paper here: www.secureworks.com/research/threats/gozi/?threat=gozi
> -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Gozi Certificate Information Leakage"; flow:to_server,established;
> content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id=";
> uricontent:"&version_id="; content:"|0d 0a|Content-Type:
> multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\:
> Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d
> 0a|Host\: "; classtype:trojan-activity;
> reference:url,www.secureworks.com/research/threats/gozi; sid:2003509;
> rev:3;)
> +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Gozi Certificate Information Leakage"; flow:to_server,established;
> content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id=";
> uricontent:"&version_id="; content:"|0d 0a|Content-Type\:
> multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\:
> Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d
> 0a|Host\: "; classtype:trojan-activity;
> reference:url,www.secureworks.com/research/threats/gozi; sid:2003509;
> rev:3;)
>  
>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Gozi Registration"; flow:to_server,established; content:"GET
> /cgi-bin/options.cgi"; depth:24; uricontent:"user_id=";
> uricontent:"&version_id="; content:"|0d 0a|User-Agent\: Mozilla/4.0
> (compatible\; MSIE 6.0\; Windows NT 5.1)"; classtype:trojan-activity;
> reference:url,www.secureworks.com/research/threats/gozi; sid:2003510;
> rev:3;)
>  
>  
>  #by Secureworks
>  # Paper here: www.secureworks.com/research/threats/gozi/?threat=gozi
> -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Gozi Certificate Information Leakage"; flow:to_server,established;
> content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id=";
> uricontent:"&version_id="; content:"|0d 0a|Content-Type:
> multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\:
> Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d
> 0a|Host\: "; classtype:trojan-activity;
> reference:url,www.secureworks.com/research/threats/gozi; sid:2003509;
> rev:3;)
> +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Gozi Certificate Information Leakage"; flow:to_server,established;
> content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id=";
> uricontent:"&version_id="; content:"|0d 0a|Content-Type\:
> multipart/form-data\; boundary="; content:"|0d 0a|User-Agent\:
> Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d
> 0a|Host\: "; classtype:trojan-activity;
> reference:url,www.secureworks.com/research/threats/gozi; sid:2003509;
> rev:3;)
>  
>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Gozi Registration"; flow:to_server,established; content:"GET
> /cgi-bin/options.cgi"; depth:24; uricontent:"user_id=";
> uricontent:"&version_id="; content:"|0d 0a|User-Agent\: Mozilla/4.0
> (compatible\; MSIE 6.0\; Windows NT 5.1)"; classtype:trojan-activity;
> reference:url,www.secureworks.com/research/threats/gozi; sid:2003510;
> rev:3;)
>  
> 
> 
> -- 
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
>> *| *SECNAP Network Security Corporation
> 
>     * Certified SNORT Integrator
>     * King of Spam Filters, SC Magazine 2008
>     * Information Security Award 2008, Info Security Products Guide
>     * CRN Magazine Top 40 Emerging Security Vendors
>     * Finalist 2009 Network Products Guide Hot Companies
> 
> 
> ------------------------------------------------------------------------
> 
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see www.secnap.com/products/spammertrap/
> <http://www.secnap.com/products/spammertrap/>
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list