[Emerging-Sigs] ET 2.8.6 false positive issues with SID 2007583

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 15 15:32:44 EDT 2010


We can do that, won't hurt the original intent of the rule. 

THanks eg!

Matt

On Oct 15, 2010, at 2:09 PM, evilghost at packetmail.net wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello, we have some issues with 2007583 causing false positives on
> BoostMobile.  2007583 consists of:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> USER_AGENTS iebar Spyware User Agent (iebar)";
> flow:established,to_server; content:"iebar"; http_header;
> fast_pattern:only; classtype: trojan-activity;
> reference:url,doc.emergingthreats.net/2007583;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_IEToolbar;
> sid:2007583; rev:12;)
> 
> In this case the signature fires due to "PhoneGenieBar.swf" in the HTTP
> Referer header.  I recommend we either modify the content match to "|3b
> 20|iebar" or degrade using http_header in this case and revert to rev 7
> even for the optimized rulesets.
> 
> I believe this signature was inadvertently "damaged" during
> optimization, see http://doc.emergingthreats.net/2007583
> 
> I have also confirmed that we cannot use relative content modifiers even
> when constrained to the same normalized buffer, so the manual is
> correct.  The 2.8.6.1 manual is significantly improved over 2.8.4;
> that's nice :)
> 
> Suggested signature replacement (which has been tested and verified):
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> USER_AGENTS iebar Spyware User Agent (iebar)";
> flow:established,to_server; content:"|3b 20|iebar"; http_header;
> fast_pattern:only; classtype: trojan-activity;
> reference:url,doc.emergingthreats.net/2007583;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_IEToolbar;
> sid:2007583; rev:13;)
> 
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJMuJjFAAoJENgimYXu6xOHQa8P/A3duVAA60BP9oXn6OPQwTiK
> sQe2D7jC0smGbyiWTsK55/uNbjGTruATMG4h1zAwIw7mgGaLpMlvwO5OCORnaOyr
> Sq4fKmVqshQYnxOP0cyqzvr5slm6dhSkkSjSR6k3ZW0fWiUlJtOSe4WP8luGJeIZ
> Ek2s7i+PQlBKcOxHFvkOhK13LTPmxjTFC4oDK4HUkllbr6o6qL0PlaXyOXxtxDV1
> gvg5glcFSJ6fyyYsps4Gd+wxRvtX5YoXz7VrwcAcCdHhyu09mU1gX8OnKma1WsGj
> wzMzHsQzpXrz8SI5GNxTTCiFkaSqsL440zhI0zSgycsmDmaXBkpdtoTn/7WwbG4f
> y60Tjy1cUhELm89qQdH3Ff11QCiyC5+VTEhygUam8UGBCE3S28IhcPP47Y3wvyw9
> K/SHNrItrG6/XWYqkBr5LOCE9gfejhXjGrH2y0/9FmDJGZ0I+aXSsct3U77iO8W0
> NwZHARtVKBLuB3SR3PG2AJ0Xd2SWAoNRQaxzdBWL+oCmiBffrQMalfLXwsDNwhWi
> a3ZI6sTtUYDAN0RsNNEwJ6+xaJVsN6+g2M5KY2znPMFxqE5JCYUTUA/yxyijy1t5
> rABCHFBjctRYmEkWdam62/RY/1E56vTC5xSuZD99jNK9+dmJ+DtxNeHRwnmRXk7+
> ARkW8rxhIwj4FWi/6APq
> =uKLT
> -----END PGP SIGNATURE-----
> 


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list