[Emerging-Sigs] FPs on "ET TROJAN W32/Parite CnC Checkin" (sid 2013716)

Jeff Kell jeff-kell at utc.edu
Tue Oct 11 12:44:42 EDT 2011


On 10/4/2011 12:56 PM, Jeff Kell wrote:
> This signature is being triggered by the MSN "SeaPort" search thing
> (http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-August/008763.html).
>
> I have accumulated 359 hits from 17 sources directed to 33 different destinations.  All
> of the destination IPs are within Microsoft's space and have reverse lookups of the form
> "msnbot-a-b-c-d.search.msn.com" where "a.b.c.d" is the IP address of the host.
>
> The URIs are very long, most are longer than the initial packet, therefore I do not have
> complete information regarding the actual Host: or User-Agent directives.  For those
> that did fit within a packet, the User-Agent is "SeaPort/2.0" or "SeaPort/3.0", and the
> Host name is "g.ceipmsn.com".

To eliminate the MSN search gizmo, this needs a negated content.  Unless the original
author of this sid intended to catch the MSN behavior, I would suggest changing this to:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Parite CnC
Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os=";
http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/";
http_header; classtype:trojan-activity; sid:2013716; rev:1;)

Jeff


More information about the Emerging-sigs mailing list