[Emerging-Sigs] Jorik FakeAV sig

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 31 13:16:42 EST 2011


This look good to all:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Jorik FakeAV GET"; flow:established,to_server; content:"GET"; http_method; content:"/britix/a"; http_uri; content:"User-Agent|3a| Internet Explorer"; http_header; sid:2013807; rev:1;)

(I'll convert to snort versions as well)

Thanks!

Matt


On Oct 30, 2011, at 11:23 AM, Martin Holste wrote:

> Yep, looks like this one needs to be updated to content:"GET";
> http_method; content:"/britix/a"; http_uri;  By the way, "britix"
> never appears in any part of a URI legitimately in our experience, so
> this should not need any anchoring.
> 
> On Sat, Oct 29, 2011 at 10:19 PM, waldo kitty <wkitty42 at windstream.net> wrote:
>> On 10/29/2011 15:40, Jason wrote:
>>>> 
>>>> alert tcp $EXTERNAL_NET  any ->  $HOME_NET $HTTP_PORTS (msg:"UFOISC
>>>> Jorik FakeAV GET"; flow:established,to_server;  content:"GET /britix/a
>>>> HTTP/1.1"; fast_pattern:only; sid:9100560; rev:1;)
>>>> 
>>> 
>>> 
>>> Forgive me as i do not work often with snort. Would this signature also catch
>>> "/britix/ar"? You should be on guard for this in addition to the /a. Thank you.
>> 
>> strictly looking at the rule posted, it would appear that your URI is not
>> caught... why? because the space is invisible in the rule and it appears to read
>> as "/a http/1.1" (no case on purpose)... which means that "/a" followed by a
>> space plus the http revision is all that's looked for...
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list