[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

Joel Esler jesler at sourcefire.com
Mon Oct 11 17:33:53 EDT 2010


You have two content matches before pcre.  They both look the same to me.  Why not make it one content match instead of two?

J

On Oct 11, 2010, at 5:09 PM, Kevin Ross wrote:

> differences in the user-agents, there are about 4 or 5 of them, focusing on the common elements. 
> 
> On 11 October 2010 22:00, Joel Esler <jesler at sourcefire.com> wrote:
> On the first two, why would you split the content into two?  That doesn't help anything.
> 
> 
> J
> 
> On Oct 11, 2010, at 4:55 PM, Kevin Ross wrote:
> 
>> For the Windows NT ones I used PCRE but with no whitespace after the User-Agent|3A| which is quite specific and abnormal and the Windows NT it should help limit any actualy PCRE checks. Kev
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Avzhan DDOS Bot Fake Windows NT User-Agent Observed Outbound"; flow:established,to_server; content:"User-Agent|3A|Mozilla/4.0 (compatible|3B| MSIE"; nocase; http_header; content:"Windows NT"; nocase; http_header; pcre:"/\x0D\x0AUser-Agent\x3AMozilla/4\x2E0\x20\x28compatible\x3B MSIE.+Windows NT.+(\x28SV1|5\x2E1\x3B SV1|MyIE 3\x2E01)/i"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; sid:1340001; rev:1;)
>> 
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Avzhan DDOS Bot Fake Windows NT User-Agent Observed Inbound"; flow:established,to_server; content:"User-Agent|3A|Mozilla/4.0 (compatible|3B| MSIE"; nocase; http_header; content:"Windows NT"; nocase; http_header; pcre:"/\x0D\x0AUser-Agent\x3AMozilla/4\x2E0\x20\x28compatible\x3B MSIE.+Windows NT.+(SV1|5\x2E1\x3B SV1|MyIE 3\x2E01)/i"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; sid:1340002; rev:1;)
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Avzhan DDOS Bot Fake Linux User-Agent Observed Outbound"; flow:established,to_server; content:"User-Agent|3A|Mozilla/5.0 (X11|3B| U|3B| Linux i686|3B| en-US|3B| re|3A|1.4.0) Gecko/20080808 Firefox"; http_header; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; sid:1340003; rev:1;)
>> 
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Avzhan DDOS Bot Fake Linux User-Agent Observed Inbound"; flow:established,to_server; content:"User-Agent|3A|Mozilla/5.0 (X11|3B| U|3B| Linux i686|3B| en-US|3B| re|3A|1.4.0) Gecko/20080808 Firefox"; http_header; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; sid:1340004; rev:1;)
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> 
> --
> Joel Esler
> 302-223-5974
> 
> 

--
Joel Esler
302-223-5974

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101011/fe27885d/attachment.html


More information about the Emerging-sigs mailing list