[Emerging-Sigs] Are these FPs or not?
nathan at packetmail.net
Thu Dec 13 04:18:12 HAST 2012
On 12/12/2012 06:13 PM, Christopher Granger wrote:
> Example requests from validated infections, each using a unique set of C&C servers
> Inline image 2
> Inline image 1
Very good thread, I too am looking at User-Agent as an indicator of compromise
in addition to other things on the SSL channels.
Something worth noting here is that Mozilla/5.0 did not exist with MSIE until
MSIE 9. This incorrect branding is a good way to detect badness. My proxy logs
are in Hadoop/Hive and I am using this query to detect on badness inclusive of
some recent Ponmocup findings.
A "Hiveism" is the use of double-escapes, obviously for PCRE this is
superfluous. the below might be able to be used to tie Mozilla versions to MSIE
versions as an outlier for anomalous User-Agents. Seems we could craft some
less PCRE-heavy sigs based on the logic below.
select distinct http_status,user_name,client_ip,url,user_agent from
webwasher_full where day='$PARTITION' and (user_agent rlike
'Mozilla\\/4\\.[^\\r\\n]+\\x3b MSIE [^4-8]' or user_agent rlike
'Mozilla\\/5\\.[^\\r\\n]+\\x3b MSIE [^19]\\d?' or user_agent rlike
'Mozilla\\/[^\\r\\n]+\\x3b Windows NT [^4-6]' or user_agent like '%Windows NT
4%') and user_agent not like '% GoogleToolbar %' and url not like
'%.adobe.com/%' and url not like '%.real.com/%' and user_agent not like '%
Placeware RPC %' order by url,user_agent,client_ip,user_name,http_status;
More information about the Emerging-sigs