[Emerging-Sigs] Kelihos p2p sig

Will Metcalf wmetcalf at emergingthreatspro.com
Tue Dec 11 16:32:49 HAST 2012


These FP'd quite a bit on captures from various networks, however also
seems to detect Kelihos pretty well at least base on our samples.  I will
see if can find something to reduce fp's tomorrow.

Regards,

Will

On Mon, Dec 10, 2012 at 6:07 PM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:

> Will take a gander tomorrow. Thanks Harry!  Was thinking of doing some DGA
> + exe download sigs for this dude..
>
> Regards,
>
> Will
>
>
> On Mon, Dec 10, 2012 at 6:04 PM, harry.tuttle <harry.tuttle at zoho.com>wrote:
>
>> **
>> Although the values vary, the same two byte pattern repeats in the
>> locations specified in the rule. I'm extracting the first occurrence and
>> then testing the next five. For example (from one of the anubis pcaps):
>>
>> 0000 92 27 fc 57 72 bb 52 54 00 12 34 56 08 00 45 00
>> 0010 03 98 01 de 40 00 80 06 36 cd c0 a8 00 02 1f df
>> 0020 de 2b 04 0c 00 50 b3 e9 7b 10 85 f4 77 e2 50 10
>> 0030 41 50 0f 3e 00 00 2b 81 d8 7e ba 81 d8 7e ca 81
>> 0040 d8 7e ab 86 d8 7e f0 85 d8 7e b0 86 d8 7e c8 04
>> 0050 87 30 26 47 78 77 c8 6f f9 45 dd 7a 95 c9 8c db
>>
>> The negations (or at least one) are required to make sure that the data
>> varies in between the matches. Otherwise it will false on a long string
>> with the same byte repeated (saw that when testing).
>>
>> I understand that it is costly. In my environment, it works out ok.
>>
>> Regards,
>> Harry
>>
>>
>> ---- On Mon, 10 Dec 2012 15:13:43 -0800 Joel Esler wrote ----
>>
>> >This will run on every single packet that goes through the system.
>> That's why it's intensive. Can you explain your matches?
>> >
>> >--
>> >Joel Esler
>> >Sent from my iPad
>> >
>> >On Dec 10, 2012, at 5:21 PM, "harry.tuttle" wrote:
>> >
>> >> I came up with the following from samples provided by abuse.ch. Their
>> blog post on the subject: http://www.abuse.ch/?p=4878
>> >>
>> >> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Kelihos
>> p2p traffic detected via byte_test"; flow:established,to_server;
>> byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6;
>> byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14;
>> byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22;
>> byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4;
>> byte_test:2,!=,kelihos.p2p,8; classtype:trojan-activity; sid:nnnnnnn;
>> rev:1;)
>> >>
>> >> It's not the best performer, but there are worse rules in the set. It
>> definitely falses without at least one negation, but we might not need all
>> three. Likewise, we may not need all five positive matches. Let me know
>> what you all think.
>> >>
>> >> PCAPs are on anubis:
>> >>
>> http://anubis.iseclab.org/?action=result&task_id=169229bb0f9f35a2481b61b009bec78a2
>> >>
>> http://anubis.iseclab.org/?action=result&task_id=16c11de16e343f10491dafb827b7cebe5
>> >>
>> >> Regards,
>> >> Harry
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at lists.emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> >> The ONLY place to get complete premium rulesets for Snort 2.4.0
>> through Current!
>> >
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121211/c55357bc/attachment.html>


More information about the Emerging-sigs mailing list