[Emerging-Sigs] ZeuS CnC Check In's Sig

Will Metcalf william.metcalf at gmail.com
Mon Oct 18 16:19:04 EDT 2010


Hmmm does anybody have a packet capture of this they can share with me
because I don't think that this as efficient as one might think.  The
behavior that I have seen is that when applying distance/within
against an http_header buffer it is treated as depth/offset from the
start of the buffer not from the end of the last match.

Regards,

Will

On Mon, Oct 18, 2010 at 3:09 PM, Robert Kerr <rob at rkerr.co.uk> wrote:
> On Thu, 2010-10-14 at 22:54 +0000, Eoin Miller wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS
>> POST to CnC"; content:"POST"; http_method; content:".php"; http_uri;
>> nocase; content:"Accept: */*|0D 0A|User-Agent:"; depth:25; http_header;
>> content:!"Content-Type: "; http_header; content:"Content-Length: ";
>> http_header; content:!"0"; distance:0; http_header; content:"Connection:
>> Keep-Alive|0D 0A|Cache-Control: no-cache"; http_header; content:"|0D 0A
>> 0D 0A|"; distance:0; classtype:trojan-activity; sid:5600177; rev:4;)
>
>> I haven't given it a shot on our sensors here yet for FP detection, but
>> if anyone else can help out, that would be awesome. It does trigger on
>> the infected sample PCAP's that we have acquired.
>
> Eoin,
>
> For this:
>
>  content:"Content-Length: "; http_header; content:!"0"; distance:0;
> http_header;
>
> Don't you mean something more like:
>
>  content:"Content-Length: "; http_header; content:!"Content-Length: 0|0d
> 0a|"; http_header;
>
> Because otherwise any Content-Length header with a 0 in it (eg
> Content-Length: 100) is going to slip through...
>
> --
>  Robert Kerr
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list