[Emerging-Sigs] SID 2011588 -- Too strict

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 18 16:02:03 EDT 2010


Thanks EG. I agree, we have overlap. Deduping and updating.

Matt


On Oct 18, 2010, at 11:54 AM, evilghost at packetmail.net wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> There may be some overlap with 2011588 and 2011811, however, I recommend
> we remove the ".bin" from the content match on 2011588.
> 
> Really 2011588 and 2011811 are almost the same signatures.
> 
> I am using a variant of 2011588 (no isolation to ".bin") and it detected
> this ZeuS infection event:
> 
> 10:05:06.398025 IP a.b.c.d:1235 > 8.5.1.44.80: P 1:346(345) ack 1 win
> 64512
> GET /bilissimo/gelexy.img HTTP/1.1
> Accept: */*
> Connection: Close
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
> CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR
> 3.5.21022)
> Host: void99.com
> Cache-Control: no-cache
> Cookie: REMOVED_BY_EVILGHOST
> 
> So, either we relax 2011588 or we retire it since it looks like this
> event would be caught by :
> 
> 2011811
> 2011818
> 
> So, do we want to combine 2011811, 2011818, and 2011588 into this
> signature (which is almost an exact match on what I've got locally) or
> relax 2011588 into this signature:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Zeus Bot Request to CnC"; flow:established,to_server; content:"GET /";
> depth:5; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|Connection|3a|
> Close|0d 0a|User-Agent|3a| "; content:"|0d 0a|Host|3a| "; distance:0;
> content:!"|0d 0a|Referer|3a| "; nocase; classtype:trojan-activity;
> sid:2011588; rev:6;)
> 
> Either way, I think 2011588 needs to be relaxed to the above proposed
> rev:6; we have no false positives with this signature.  We can't
> constrain to a ".bin" there are numerous ZeuS configurations which don't
> use this extension.
> 
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJMvG2XAAoJENgimYXu6xOHeQMQAKaEVMMj8OZbmhD1t6WZSSYh
> ECkF3S/0vgK+w0e5dE0SCxsi8pqxZvqJfBdVeKZxbDWWc8bmraUpkY0VWojZMZmB
> 5OJk4IFKpS3ItuHfBh3Vx7GraJeLa9pLPR4NCI5xBI3177pUILOCcEuI6Xtw3N6K
> CzaKQ6T91ky0VwOiynY0tzaz16amq848KTI+Jq0DfLsVC2W6F5jYpxkdJF3ts+mI
> z0MCqx8HCPSokaZPerBNsh0dB8q7K82PJy+GTRz0KQGgj83y9r9neUs9knpwaRE6
> G6YGbhrs5a2268lmzRHiJhjE9EsMhY0rwh95lubVSFXCJC83QrrzZloC8JUGlXs1
> fjhSzrHvP4AZTrv1ne7rUvSeZqN0go9HVUbp0ia6AxhRw6yPzha8DV1Rp+KVu/6o
> 54E3DERcm+GQOnzr2f/Urx4UWlWQ4fVwBb38ndJ8/tcD2lM/giJg8+iwcoKBCQex
> yiOTsgAkNqgRt/xnKU/7aDDe02ZRyhpGUznE9BT8Fss+99GRxivH02aETLTs14xM
> mgLH6KI+ZagRh1qSXOGL8+w5SRX5xZgsJGfms7V6/5zUV+KN4r8sovPVrmnw4j9k
> JB7iCWf3qCE870hzPHHgSmAHoq6WKE//bFJFbRC1f0llsQxoRsZdhUfLTXZ+vEv2
> Y7hTL8bI1m4LQojKoaZP
> =Z10U
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list