[Emerging-Sigs] Strange UDP Trojan check-in

Martin Holste mcholste at gmail.com
Wed Oct 5 09:55:01 EDT 2011


I'm running etpro with Suricata, which the rule does work for (still
getting hits for my entry in local.rules).

On Wed, Oct 5, 2011 at 8:49 AM, Kevin Ross <kevross33 at googlemail.com> wrote:
> I am guessing because byte_extract a snort 2.9.X rule option so it would
> only be available for that ruleset?
>
> On 5 October 2011 14:42, Martin Holste <mcholste at gmail.com> wrote:
>>
>> My UDP sig didn't make it into the tarball last night, any reason why?
>>
>> On Tue, Oct 4, 2011 at 10:13 PM, Matthew Jonkman
>> <jonkman at emergingthreatspro.com> wrote:
>> > Posted!
>> >
>> >
>> > On Oct 4, 2011, at 6:11 PM, Kevin Ross wrote:
>> >
>> >> And a quick one for the POST.
>> >>
>> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> >> CURRENT_EVENTS Zeus Variant Post to CnC Server"; flow:established,to_server;
>> >> content:"POST"; http_method; content:"/gameover2.php"; http_uri;
>> >> classtype:trojan-activity; sid:1349991; rev:1;)
>> >>
>> >> Kev
>> >>
>> >> On 4 October 2011 21:38, Martin Holste <mcholste at gmail.com> wrote:
>> >> I sat down and finally got familiar with all of the byte_* operators,
>> >> and I think this one will work the best (confirmed against pcap):
>> >>
>> >> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
>> >> Communication"; byte_extract:4,63,padding; byte_test:4,=,padding,67;
>> >> dsize:72; sid:1; rev:1;)
>> >>
>> >> This checks that the UDP payload is exactly 72 bytes and that the
>> >> bytes 63-66 match bytes 67-71 (eight bytes in a row that are
>> >> identical).  It should be pretty accurate and very fast.  I put in the
>> >> not DNS port there since only high ports are used and this should make
>> >> the load essentially non-existent.  That should also alleviate FP's,
>> >> though I doubt there will be many if any.
>> >>
>> >> On Tue, Oct 4, 2011 at 3:13 PM, Nathan <nathan at packetmail.net> wrote:
>> >> > On Tue, 4 Oct 2011 13:20:17 -0500 Martin Holste <mcholste at gmail.com>
>> >> > wrote
>> >> >
>> >> >> Does anyone have some advice on a signature for the UDP last nine
>> >> >> bytes?
>> >> >
>> >> > Here is my attempt, caveat, it may not even run, I'm shooting from
>> >> > the hip for
>> >> > discussion.  The PCRE back reference should be good to match the last
>> >> > 9 bytes
>> >> > repeating, until end of string.  I feel good about the PCRE.
>> >> >
>> >> > The dsize and byte_jump are suspect, dsize should be ok it's
>> >> > byte_jump and
>> >> > doe_ptr with respect to PCRE /R that I'm unsure about.
>> >> >
>> >> > Do we need to adjust dsize for UDP header size?
>> >> > Does doe_ptr become relative to PCRE /R?  If not, we need to drop it.
>> >> > Do we also need the /O flag for PCRE?
>> >> >
>> >> > I believe /B is needed as is /s but I am open to correction.
>> >> >
>> >> > #Does 1023: here make sense?
>> >> > alert udp $HOME_NET 1023: -> $EXTERNAL_NET 1023: (msg:"ET
>> >> > CURRENT_EVENTS ZeuS
>> >> > P2P Communication over UDP"; dize:114; byte_jump:1,70;
>> >> > pcre:"/(.)\1{8}$/BRs";
>> >> > classtype:trojan-activity; sid:x; rev:1;)
>> >> >
>> >> > PCRE version 8.02 2010-03-19
>> >> >
>> >> >  re> /(.)\1{8}$/
>> >> > data> abcdefghi
>> >> > No match
>> >> > data> aaaaaaaaa
>> >> >  0: aaaaaaaaa
>> >> >  1: a
>> >> > data> aaabbaaaa
>> >> > No match
>> >> > data> hoorayaaaaaaaaa
>> >> >  0: aaaaaaaaa
>> >> >  1: a
>> >> > data>
>> >> >
>> >> > Thanks,
>> >> > Nathan
>> >> >
>> >> >
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> >> http://www.emergingthreatspro.com
>> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> >> Current!
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> >> http://www.emergingthreatspro.com
>> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> >> Current!
>> >
>> >
>> > ----------------------------------------------------
>> > Matt Jonkman
>> > Emerging Threats Pro
>> > Open Information Security Foundation (OISF)
>> > Phone 866-504-2523 x110
>> > http://www.emergingthreatspro.com
>> > http://www.openinfosecfoundation.org
>> > ----------------------------------------------------
>> >
>> >
>
>


More information about the Emerging-sigs mailing list