[Emerging-Sigs] SID 2011588 -- Too strict

evilghost@packetmail.net evilghost at packetmail.net
Mon Oct 18 11:54:00 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There may be some overlap with 2011588 and 2011811, however, I recommend
we remove the ".bin" from the content match on 2011588.

Really 2011588 and 2011811 are almost the same signatures.

I am using a variant of 2011588 (no isolation to ".bin") and it detected
this ZeuS infection event:

10:05:06.398025 IP a.b.c.d:1235 > 8.5.1.44.80: P 1:346(345) ack 1 win
64512
GET /bilissimo/gelexy.img HTTP/1.1
Accept: */*
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR
3.5.21022)
Host: void99.com
Cache-Control: no-cache
Cookie: REMOVED_BY_EVILGHOST

So, either we relax 2011588 or we retire it since it looks like this
event would be caught by :

2011811
2011818

So, do we want to combine 2011811, 2011818, and 2011588 into this
signature (which is almost an exact match on what I've got locally) or
relax 2011588 into this signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Zeus Bot Request to CnC"; flow:established,to_server; content:"GET /";
depth:5; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a|
Close|0d 0a|User-Agent|3a| "; content:"|0d 0a|Host|3a| "; distance:0;
content:!"|0d 0a|Referer|3a| "; nocase; classtype:trojan-activity;
sid:2011588; rev:6;)

Either way, I think 2011588 needs to be relaxed to the above proposed
rev:6; we have no false positives with this signature.  We can't
constrain to a ".bin" there are numerous ZeuS configurations which don't
use this extension.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMvG2XAAoJENgimYXu6xOHeQMQAKaEVMMj8OZbmhD1t6WZSSYh
ECkF3S/0vgK+w0e5dE0SCxsi8pqxZvqJfBdVeKZxbDWWc8bmraUpkY0VWojZMZmB
5OJk4IFKpS3ItuHfBh3Vx7GraJeLa9pLPR4NCI5xBI3177pUILOCcEuI6Xtw3N6K
CzaKQ6T91ky0VwOiynY0tzaz16amq848KTI+Jq0DfLsVC2W6F5jYpxkdJF3ts+mI
z0MCqx8HCPSokaZPerBNsh0dB8q7K82PJy+GTRz0KQGgj83y9r9neUs9knpwaRE6
G6YGbhrs5a2268lmzRHiJhjE9EsMhY0rwh95lubVSFXCJC83QrrzZloC8JUGlXs1
fjhSzrHvP4AZTrv1ne7rUvSeZqN0go9HVUbp0ia6AxhRw6yPzha8DV1Rp+KVu/6o
54E3DERcm+GQOnzr2f/Urx4UWlWQ4fVwBb38ndJ8/tcD2lM/giJg8+iwcoKBCQex
yiOTsgAkNqgRt/xnKU/7aDDe02ZRyhpGUznE9BT8Fss+99GRxivH02aETLTs14xM
mgLH6KI+ZagRh1qSXOGL8+w5SRX5xZgsJGfms7V6/5zUV+KN4r8sovPVrmnw4j9k
JB7iCWf3qCE870hzPHHgSmAHoq6WKE//bFJFbRC1f0llsQxoRsZdhUfLTXZ+vEv2
Y7hTL8bI1m4LQojKoaZP
=Z10U
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list