[Emerging-Sigs] ZeuS CnC Check In's Sig
rob at rkerr.co.uk
Mon Oct 18 16:40:30 EDT 2010
On Mon, 2010-10-18 at 20:26 +0000, Eoin Miller wrote:
> On 10/18/2010 8:09 PM, Robert Kerr wrote:
> > For this:
> > content:"Content-Length: "; http_header; content:!"0"; distance:0;
> > http_header;
> > Don't you mean something more like:
> > content:"Content-Length: "; http_header; content:!"Content-Length: 0|0d
> > 0a|"; http_header;
> > Because otherwise any Content-Length header with a 0 in it (eg
> > Content-Length: 100) is going to slip through...
> This is meant to get rid of some FP's we were seeing with MSN based
> toolbars that were POST'ing with a content length of zero bytes. We are
> specifically *not* alerting on requests that contain the following:
> "Content-Length: 0";
> But we need to keep the "Content-Length: " content match that we are
> doing in the signature to match the order in which the http client
> library that the ZeuS bot is using and how it forumlates its requests.
No arguments there - my point was the content:!"0" is saying there can
be no 0s anywhere after the Content-Length header:
For example contains a 0 after the Content-Length header. If this was an
un-negated match I'd suggest within:1 - but being negated and being
http_header makes all sorts of odd rules apply.
content:!"Content-Length: 0|0d 0a|"; http_header;
Seems more likely to work (though if you give Will a pcap I'm sure he'll
come up with some magic).
More information about the Emerging-sigs