[Emerging-Sigs] Kelihos p2p sig

Will Metcalf wmetcalf at emergingthreatspro.com
Mon Dec 10 14:07:06 HAST 2012


Will take a gander tomorrow. Thanks Harry!  Was thinking of doing some DGA
+ exe download sigs for this dude..

Regards,

Will

On Mon, Dec 10, 2012 at 6:04 PM, harry.tuttle <harry.tuttle at zoho.com> wrote:

> **
> Although the values vary, the same two byte pattern repeats in the
> locations specified in the rule. I'm extracting the first occurrence and
> then testing the next five. For example (from one of the anubis pcaps):
>
> 0000 92 27 fc 57 72 bb 52 54 00 12 34 56 08 00 45 00
> 0010 03 98 01 de 40 00 80 06 36 cd c0 a8 00 02 1f df
> 0020 de 2b 04 0c 00 50 b3 e9 7b 10 85 f4 77 e2 50 10
> 0030 41 50 0f 3e 00 00 2b 81 d8 7e ba 81 d8 7e ca 81
> 0040 d8 7e ab 86 d8 7e f0 85 d8 7e b0 86 d8 7e c8 04
> 0050 87 30 26 47 78 77 c8 6f f9 45 dd 7a 95 c9 8c db
>
> The negations (or at least one) are required to make sure that the data
> varies in between the matches. Otherwise it will false on a long string
> with the same byte repeated (saw that when testing).
>
> I understand that it is costly. In my environment, it works out ok.
>
> Regards,
> Harry
>
>
> ---- On Mon, 10 Dec 2012 15:13:43 -0800 Joel Esler wrote ----
>
> >This will run on every single packet that goes through the system. That's
> why it's intensive. Can you explain your matches?
> >
> >--
> >Joel Esler
> >Sent from my iPad
> >
> >On Dec 10, 2012, at 5:21 PM, "harry.tuttle" wrote:
> >
> >> I came up with the following from samples provided by abuse.ch. Their
> blog post on the subject: http://www.abuse.ch/?p=4878
> >>
> >> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Kelihos p2p
> traffic detected via byte_test"; flow:established,to_server;
> byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6;
> byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14;
> byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22;
> byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4;
> byte_test:2,!=,kelihos.p2p,8; classtype:trojan-activity; sid:nnnnnnn;
> rev:1;)
> >>
> >> It's not the best performer, but there are worse rules in the set. It
> definitely falses without at least one negation, but we might not need all
> three. Likewise, we may not need all five positive matches. Let me know
> what you all think.
> >>
> >> PCAPs are on anubis:
> >>
> http://anubis.iseclab.org/?action=result&task_id=169229bb0f9f35a2481b61b009bec78a2
> >>
> http://anubis.iseclab.org/?action=result&task_id=16c11de16e343f10491dafb827b7cebe5
> >>
> >> Regards,
> >> Harry
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at lists.emergingthreats.net
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121210/b38d1e48/attachment-0001.html>


More information about the Emerging-sigs mailing list