[Emerging-Sigs] ET 2.8.6 false positive issues with SID 2007583

evilghost@packetmail.net evilghost at packetmail.net
Fri Oct 15 14:09:09 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, we have some issues with 2007583 causing false positives on
BoostMobile.  2007583 consists of:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
USER_AGENTS iebar Spyware User Agent (iebar)";
flow:established,to_server; content:"iebar"; http_header;
fast_pattern:only; classtype: trojan-activity;
reference:url,doc.emergingthreats.net/2007583;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_IEToolbar;
sid:2007583; rev:12;)

In this case the signature fires due to "PhoneGenieBar.swf" in the HTTP
Referer header.  I recommend we either modify the content match to "|3b
20|iebar" or degrade using http_header in this case and revert to rev 7
even for the optimized rulesets.

I believe this signature was inadvertently "damaged" during
optimization, see http://doc.emergingthreats.net/2007583

I have also confirmed that we cannot use relative content modifiers even
when constrained to the same normalized buffer, so the manual is
correct.  The 2.8.6.1 manual is significantly improved over 2.8.4;
that's nice :)

Suggested signature replacement (which has been tested and verified):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
USER_AGENTS iebar Spyware User Agent (iebar)";
flow:established,to_server; content:"|3b 20|iebar"; http_header;
fast_pattern:only; classtype: trojan-activity;
reference:url,doc.emergingthreats.net/2007583;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_IEToolbar;
sid:2007583; rev:13;)

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMuJjFAAoJENgimYXu6xOHQa8P/A3duVAA60BP9oXn6OPQwTiK
sQe2D7jC0smGbyiWTsK55/uNbjGTruATMG4h1zAwIw7mgGaLpMlvwO5OCORnaOyr
Sq4fKmVqshQYnxOP0cyqzvr5slm6dhSkkSjSR6k3ZW0fWiUlJtOSe4WP8luGJeIZ
Ek2s7i+PQlBKcOxHFvkOhK13LTPmxjTFC4oDK4HUkllbr6o6qL0PlaXyOXxtxDV1
gvg5glcFSJ6fyyYsps4Gd+wxRvtX5YoXz7VrwcAcCdHhyu09mU1gX8OnKma1WsGj
wzMzHsQzpXrz8SI5GNxTTCiFkaSqsL440zhI0zSgycsmDmaXBkpdtoTn/7WwbG4f
y60Tjy1cUhELm89qQdH3Ff11QCiyC5+VTEhygUam8UGBCE3S28IhcPP47Y3wvyw9
K/SHNrItrG6/XWYqkBr5LOCE9gfejhXjGrH2y0/9FmDJGZ0I+aXSsct3U77iO8W0
NwZHARtVKBLuB3SR3PG2AJ0Xd2SWAoNRQaxzdBWL+oCmiBffrQMalfLXwsDNwhWi
a3ZI6sTtUYDAN0RsNNEwJ6+xaJVsN6+g2M5KY2znPMFxqE5JCYUTUA/yxyijy1t5
rABCHFBjctRYmEkWdam62/RY/1E56vTC5xSuZD99jNK9+dmJ+DtxNeHRwnmRXk7+
ARkW8rxhIwj4FWi/6APq
=uKLT
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list