[Emerging-Sigs] 2 Sigs: SCAN & DYNAMIC_DNS

Kevin Ross kevross33 at googlemail.com
Tue Oct 4 10:45:09 EDT 2011


This is easier to read:

GET.HTTP/1.1.HTTP/1.1
Accept:.*/*
Accept-Language:.en-us
Accept-Encoding:.gzip,.deflate
User-Agent:.Toata.dragostea.mea.pentru.diavola
Host:.173.255.236.165
Connection:.Close


On 4 October 2011 15:44, Kevin Ross <kevross33 at googlemail.com> wrote:

> No I don't. Where I did see it was when I was having a look at the snorby
> test instance and their alerts and I looked at the packet (I am still a BASE
> person, I can customise it to have other graphs and things easier I find and
> I prefer the way you drill into alerts). The packets look like this. I think
> it may be good to try and see if any other scanners are like that too (it
> may be a way to check how a server handles header options or something.
>
> 0000000: 47 45 54 20 48 54 54 50 2f 31 2e 31 20   48 54 54 50 2f 31 2e 31 0d 0a 41 63 63  GET.HTTP/1.1.HTTP/1.1..Acc000001A: 65 70 74 3a 20 2a 2f 2a 0d 0a 41 63 63   65 70 74 2d 4c 61 6e 67 75 61 67 65 3a  ept:.*/*..Accept-Language:0000034: 20 65 6e 2d 75 73 0d 0a 41 63 63 65 70   74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67  .en-us..Accept-Encoding:.g000004E: 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d   0a 55 73 65 72 2d 41 67 65 6e 74 3a 20  zip,.deflate..User-Agent:.0000068: 54 6f 61 74 61 20 64 72 61 67 6f 73 74   65 61 20 6d 65 61 20 70 65 6e 74 72 75  Toata.dragostea.mea.pentru0000082: 20 64 69 61 76 6f 6c 61 0d 0a 48 6f 73   74 3a 20 31 37 33 2e 32 35 35 2e 32 33  .diavola..Host:.173.255.23000009C: 36 2e 31 36 35 0d 0a 43 6f 6e 6e 65 63   74 69 6f 6e 3a 20 43 6c 6f 73 65 0d 0a  6.165..Connection:.Close..00000B6: 0d 0a                                                                            ..
>
>
>
>
> On 4 October 2011 13:23, rmkml <rmkml at free.fr> wrote:
>
>> Hi Kevin,
>> Thx you very much for all posted rules.
>> Do you have tested a first rule please? because 'http_header' need a
>> correct header and if not: Im not sure snort firing?
>> Do you have a pcap?
>> Regards
>> Rmkml
>>
>>
>>
>> On Tue, 4 Oct 2011, Kevin Ross wrote:
>>
>>  alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Toata
>>> Scanner/Invalid Double HTTP in Header Detected"; flow:established,to_server;
>>> content:"HTTP/1.1|20|HTTP/1.1"**; http_header; threshold: type limit,
>>> count 1,
>>> seconds 60, track by_src; classtype:attempted-recon; reference:url,
>>> isc.sans.org/**diary.html?storyid=5599<http://isc.sans.org/diary.html?storyid=5599>;
>>> classtype:attempted-recon; sid:1231991; rev:1;)
>>>
>>> # Starting to see more and in sandnet
>>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS
>>> Query for no-ip Dynamic DNS Domain - Possibly Malware Related"; content:"|01
>>> 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|no-ip|03|";
>>> distance:0; fast_pattern; classtype:misc-activity; sid:1231992; rev:1;)
>>>
>>> Regards, Kevin
>>>
>>>
>>>
>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/121d38c0/attachment-0001.html


More information about the Emerging-sigs mailing list