[Emerging-Sigs] Kelihos p2p sig

harry.tuttle harry.tuttle at zoho.com
Mon Dec 10 14:04:59 HAST 2012


Although the values vary, the same two byte pattern repeats in the locations specified in the rule. I'm extracting the first occurrence and then testing the next five. For example (from one of the anubis pcaps):

0000 92 27 fc 57 72 bb 52 54 00 12 34 56 08 00 45 00
0010 03 98 01 de 40 00 80 06 36 cd c0 a8 00 02 1f df
0020 de 2b 04 0c 00 50 b3 e9 7b 10 85 f4 77 e2 50 10
0030 41 50 0f 3e 00 00 2b 81  d8 7e ba 81 d8 7e ca 81
0040 d8 7e ab 86 d8 7e f0 85 d8 7e b0 86 d8 7e c8 04
0050 87 30 26 47 78 77 c8 6f f9 45 dd 7a 95 c9 8c db

The negations (or at least one) are required to make sure that the data varies in between the matches. Otherwise it will false on a long string with the same byte repeated (saw that when testing).

I understand that it is costly. In my environment, it works out ok.

Regards,
Harry


---- On Mon, 10 Dec 2012 15:13:43 -0800 Joel Esler wrote ---- 

>This will run on every single packet that goes through the system. That's why it's intensive. Can you explain your matches? 
> 
>-- 
>Joel Esler 
>Sent from my iPad 
> 
>On Dec 10, 2012, at 5:21 PM, "harry.tuttle" wrote: 
> 
>> I came up with the following from samples provided by abuse.ch. Their blog post on the subject: http://www.abuse.ch/?p=4878 
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Kelihos p2p traffic detected via byte_test"; flow:established,to_server; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; classtype:trojan-activity; sid:nnnnnnn; rev:1;) 
>> 
>> It's not the best performer, but there are worse rules in the set. It definitely falses without at least one negation, but we might not need all three. Likewise, we may not need all five positive matches. Let me know what you all think. 
>> 
>> PCAPs are on anubis: 
>> http://anubis.iseclab.org/?action=result&task_id=169229bb0f9f35a2481b61b009bec78a2 
>> http://anubis.iseclab.org/?action=result&task_id=16c11de16e343f10491dafb827b7cebe5 
>> 
>> Regards, 
>> Harry 
>> 
>> _______________________________________________ 
>> Emerging-sigs mailing list 
>> Emerging-sigs at lists.emergingthreats.net 
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs 
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com 
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current! 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121210/4c49f6c4/attachment.html>


More information about the Emerging-sigs mailing list