[Emerging-Sigs] FPs on "ET TROJAN W32/Parite CnC Checkin" (sid 2013716)

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 12 07:42:24 EDT 2011


Modified, will be published shortly.

Thanks!

Matt


On Oct 11, 2011, at 12:44 PM, Jeff Kell wrote:

> On 10/4/2011 12:56 PM, Jeff Kell wrote:
>> This signature is being triggered by the MSN "SeaPort" search thing
>> (http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-August/008763.html).
>> 
>> I have accumulated 359 hits from 17 sources directed to 33 different destinations.  All
>> of the destination IPs are within Microsoft's space and have reverse lookups of the form
>> "msnbot-a-b-c-d.search.msn.com" where "a.b.c.d" is the IP address of the host.
>> 
>> The URIs are very long, most are longer than the initial packet, therefore I do not have
>> complete information regarding the actual Host: or User-Agent directives.  For those
>> that did fit within a packet, the User-Agent is "SeaPort/2.0" or "SeaPort/3.0", and the
>> Host name is "g.ceipmsn.com".
> 
> To eliminate the MSN search gizmo, this needs a negated content.  Unless the original
> author of this sid intended to catch the MSN behavior, I would suggest changing this to:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Parite CnC
> Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os=";
> http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/";
> http_header; classtype:trojan-activity; sid:2013716; rev:1;)
> 
> Jeff
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111012/877eb370/smime.bin


More information about the Emerging-sigs mailing list