[Emerging-Sigs] SIG for JAR-Download :: Have you checked the Java?

Martin Holste mcholste at gmail.com
Sun Oct 24 12:38:09 EDT 2010


Hm, I'm not sure.  FWIW, I always see the strings in the same packet,
so it should work fine most of the time, but I'd like to hear if
others are seeing misses.  Also, the depths in the sig are up for
debate.  I put in what I consider to be pretty roomy numbers, but
that's because I couldn't find the algorithm in the JAR spec that
would define exactly how far apart the strings could be.  As I said,
this sig has been working very well for us for a half year or so.  It
might not be a bad one to combine with nginx (like the nginx + PDF
sig) or something else.  In our environment, simply finding JAR's from
RU/CN nails a lot of stuff.  In smaller environments, just looking
through the day's JAR file downloads would be very doable and
fruitful.

Additional note: a recent post from Brian Krebs pointed out that Java
exploits are accounting for more than 3/4 of the exploits being used
in the malware kits, so while Adobe's been getting all the bad press
lately, it's been mostly Java exploits that malware have been using.
I can confirm that this is the case in our incident response.

On Sun, Oct 24, 2010 at 11:27 AM, mex <mail at mare-system.de> wrote:
>
> does this always work with gzip'd and chunk'd content?
> i remember this flaw some weeks ago with older versions of
> snort.
>
> if it works i think yours is the better sig;
> or maybe run them both to see 1. the request and 2. the response?
>
>
>
>
>
> Martin Holste wrote:
>> I've been running a JAR sig for a long time, and it's been very
>> helpful for post-mortems or data mining.  My sig is a little
>> different:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"LOCAL JAR
>> file download"; flow:from_server,established; content:"PK"; depth:500;
>> content:"META-INF/"; within:100; content:"MANIFEST"; within:100;
>> classtype:not-suspicious; sid:xxx; rev:1;)
>>
>> On Sun, Oct 24, 2010 at 4:55 AM, Mex <mail at mare-system.de> wrote:
>>> maybe, deactivated by default for office-networks?
>>>
>>> http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"JAVA JAR
>>> Download Attempt"; flow:established,to_server; uricontent:".jar";
>>> classtype:bad-unknown;
>>> reference:url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx; sid:xxxxxxxx;
>>> rev:1;)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>>
>
> --
>
>
> mex
>
>
> Security InfoCenter   .:.   http://www.mare-system.de/sic
> DONT PANIC            .:.   http://www.mare-system.de/emergency
> MARE System Kiel      .:.   http://www.mare-system.de
>


More information about the Emerging-sigs mailing list