[Emerging-Sigs] W32.Duqu

Jaime Blasco jaime.blasco at alienvault.com
Wed Oct 19 17:20:12 EDT 2011

I sent a similar rule yesterday to the mailing list, but adding the filename
on the POST that is also hardcoded:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32.
DUQUdetected"; flow: to_server,established; content:"User-Agent|3a|
Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv:
Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; nocase; http_header;
content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|";
nocase; http_header; reference:url,
classtype:policy-violation; sid:111111; rev:1;)

Best Regards

2011/10/19 Christopher Granger <chrisgrangerx at gmail.com>

> Hi Emerging Threats,
> What do you think about this to detect Duqu's UA?
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32.Duqu
> User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0
> (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|
> Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|”;
> http_header; fast_pattern:only; reference:url,
> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf;
> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> Thank you,
> -Chris
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!


Jaime Blasco

Email: jaime.blasco at alienvault.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111019/622c0625/attachment.html

More information about the Emerging-sigs mailing list