[Emerging-Sigs] Strange UDP Trojan check-in

Kevin Ross kevross33 at googlemail.com
Wed Oct 5 09:49:57 EDT 2011


I am guessing because byte_extract a snort 2.9.X rule option so it would
only be available for that ruleset?

On 5 October 2011 14:42, Martin Holste <mcholste at gmail.com> wrote:

> My UDP sig didn't make it into the tarball last night, any reason why?
>
> On Tue, Oct 4, 2011 at 10:13 PM, Matthew Jonkman
> <jonkman at emergingthreatspro.com> wrote:
> > Posted!
> >
> >
> > On Oct 4, 2011, at 6:11 PM, Kevin Ross wrote:
> >
> >> And a quick one for the POST.
> >>
> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Zeus Variant Post to CnC Server"; flow:established,to_server;
> content:"POST"; http_method; content:"/gameover2.php"; http_uri;
> classtype:trojan-activity; sid:1349991; rev:1;)
> >>
> >> Kev
> >>
> >> On 4 October 2011 21:38, Martin Holste <mcholste at gmail.com> wrote:
> >> I sat down and finally got familiar with all of the byte_* operators,
> >> and I think this one will work the best (confirmed against pcap):
> >>
> >> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
> >> Communication"; byte_extract:4,63,padding; byte_test:4,=,padding,67;
> >> dsize:72; sid:1; rev:1;)
> >>
> >> This checks that the UDP payload is exactly 72 bytes and that the
> >> bytes 63-66 match bytes 67-71 (eight bytes in a row that are
> >> identical).  It should be pretty accurate and very fast.  I put in the
> >> not DNS port there since only high ports are used and this should make
> >> the load essentially non-existent.  That should also alleviate FP's,
> >> though I doubt there will be many if any.
> >>
> >> On Tue, Oct 4, 2011 at 3:13 PM, Nathan <nathan at packetmail.net> wrote:
> >> > On Tue, 4 Oct 2011 13:20:17 -0500 Martin Holste <mcholste at gmail.com>
> wrote
> >> >
> >> >> Does anyone have some advice on a signature for the UDP last nine
> bytes?
> >> >
> >> > Here is my attempt, caveat, it may not even run, I'm shooting from the
> hip for
> >> > discussion.  The PCRE back reference should be good to match the last
> 9 bytes
> >> > repeating, until end of string.  I feel good about the PCRE.
> >> >
> >> > The dsize and byte_jump are suspect, dsize should be ok it's byte_jump
> and
> >> > doe_ptr with respect to PCRE /R that I'm unsure about.
> >> >
> >> > Do we need to adjust dsize for UDP header size?
> >> > Does doe_ptr become relative to PCRE /R?  If not, we need to drop it.
> >> > Do we also need the /O flag for PCRE?
> >> >
> >> > I believe /B is needed as is /s but I am open to correction.
> >> >
> >> > #Does 1023: here make sense?
> >> > alert udp $HOME_NET 1023: -> $EXTERNAL_NET 1023: (msg:"ET
> CURRENT_EVENTS ZeuS
> >> > P2P Communication over UDP"; dize:114; byte_jump:1,70;
> pcre:"/(.)\1{8}$/BRs";
> >> > classtype:trojan-activity; sid:x; rev:1;)
> >> >
> >> > PCRE version 8.02 2010-03-19
> >> >
> >> >  re> /(.)\1{8}$/
> >> > data> abcdefghi
> >> > No match
> >> > data> aaaaaaaaa
> >> >  0: aaaaaaaaa
> >> >  1: a
> >> > data> aaabbaaaa
> >> > No match
> >> > data> hoorayaaaaaaaaa
> >> >  0: aaaaaaaaa
> >> >  1: a
> >> > data>
> >> >
> >> > Thanks,
> >> > Nathan
> >> >
> >> >
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >
> >
> > ----------------------------------------------------
> > Matt Jonkman
> > Emerging Threats Pro
> > Open Information Security Foundation (OISF)
> > Phone 866-504-2523 x110
> > http://www.emergingthreatspro.com
> > http://www.openinfosecfoundation.org
> > ----------------------------------------------------
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111005/fb972adc/attachment.html


More information about the Emerging-sigs mailing list