[Emerging-Sigs] 2 Sigs: SCAN & DYNAMIC_DNS

rmkml rmkml at free.fr
Tue Oct 4 14:32:29 EDT 2011


Hi Kevin,
ok write simple perl example for replay:
  perl -e 'use IO::Socket::INET; $sock = new IO::Socket::INET(PeerAddr=>"192.168.1.1",PeerPort =>"80",Timeout=>"1",Proto=>"tcp",) or die "error\n"; print $sock "GET 
HTTP/1.1 HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Toata dragostea mea pentru diavola\r\nHost: 173.255.236.165\r\nConnection: Close\r\n\r\n"; sleep 2;'

With your simplified (removed threshold) rule (1231991), my snort (291) not fire.
It's fire for you?
but another emerging rule fire:
  10/04-19:15:33.391047  [**] [1:2009159:7] ET SCAN Toata Scanner User-Agent Detected [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.2:56129 -> 192.168.1.1:80
Regards
Rmkml


On Tue, 4 Oct 2011, Kevin Ross wrote:

> 
> This is easier to read:
> GET.HTTP/1.1.HTTP/1.1
> Accept:.*/*
> Accept-Language:.en-us
> Accept-Encoding:.gzip,.deflate
> User-Agent:.Toata.dragostea.mea.pentru.diavola
> Host:.173.255.236.165
> Connection:.Close
> 
> On 4 October 2011 15:44, Kevin Ross <kevross33 at googlemail.com> wrote:
>       No I don't. Where I did see it was when I was having a look at the snorby test instance and their alerts and I looked at the packet (I am still a BASE person, I can customise it to have other graphs and things easier I
>       find and I prefer the way you drill into alerts). The packets look like this. I think it may be good to try and see if any other scanners are like that too (it may be a way to check how a server handles header options
>       or something.
> 
> 0000000: 47 45 54 20 48 54 54 50 2f 31 2e 31 20   48 54 54 50 2f 31 2e 31 0d 0a 41 63 63  GET.HTTP/1.1.HTTP/1.1..Acc
> 000001A: 65 70 74 3a 20 2a 2f 2a 0d 0a 41 63 63   65 70 74 2d 4c 61 6e 67 75 61 67 65 3a  ept:.*/*..Accept-Language:
> 0000034: 20 65 6e 2d 75 73 0d 0a 41 63 63 65 70   74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67  .en-us..Accept-Encoding:.g
> 000004E: 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d   0a 55 73 65 72 2d 41 67 65 6e 74 3a 20  zip,.deflate..User-Agent:.
> 0000068: 54 6f 61 74 61 20 64 72 61 67 6f 73 74   65 61 20 6d 65 61 20 70 65 6e 74 72 75  Toata.dragostea.mea.pentru
> 0000082: 20 64 69 61 76 6f 6c 61 0d 0a 48 6f 73   74 3a 20 31 37 33 2e 32 35 35 2e 32 33  .diavola..Host:.173.255.23
> 000009C: 36 2e 31 36 35 0d 0a 43 6f 6e 6e 65 63   74 69 6f 6e 3a 20 43 6c 6f 73 65 0d 0a  6.165..Connection:.Close..
> 00000B6: 0d 0a                                                                            ..
> 
> 
> 
> On 4 October 2011 13:23, rmkml <rmkml at free.fr> wrote:
>       Hi Kevin,
>       Thx you very much for all posted rules.
>       Do you have tested a first rule please? because 'http_header' need a correct header and if not: Im not sure snort firing?
>       Do you have a pcap?
>       Regards
>       Rmkml
> 
> 
> On Tue, 4 Oct 2011, Kevin Ross wrote:
>
>       alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Toata Scanner/Invalid Double HTTP in Header Detected"; flow:established,to_server; content:"HTTP/1.1|20|HTTP/1.1"; http_header; threshold:
>       type limit, count 1,
>       seconds 60, track by_src; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?storyid=5599; classtype:attempted-recon; sid:1231991; rev:1;)
>
>       # Starting to see more and in sandnet
>       alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS Query for no-ip Dynamic DNS Domain - Possibly Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2;
>       content:"|05|no-ip|03|";
>       distance:0; fast_pattern; classtype:misc-activity; sid:1231992; rev:1;)
>
>       Regards, Kevin


More information about the Emerging-sigs mailing list