[Emerging-Sigs] Daily Ruleset Update Summary 09/092014

Darien Huss dhuss at emergingthreats.net
Wed Sep 10 23:20:41 EDT 2014


The URI contents are split up so the first match fits into the 20-byte
default size of the fast pattern matcher. The "/maxpower-static/" always
occurs at depth:17, but since we are not checking depth
(fast_pattern:only), we have applied an offset of 17 so the content matcher
doesn't waste time looking in the first 17 bytes where "templates/" cannot
occur.

-Darien

On Wed, Sep 10, 2014 at 4:42 PM, rmkml <rmkml at yahoo.fr> wrote:

> Thx Waldo,
>
> For example found on this link:
> (http://www.sophos.com/fr-fr/threat-center/threat-analyses/
> adware-and-puas/SoftPulse/detailed-analysis.aspx)
>
> http://stan.mxp2098.com/maxpower-static/templates/
> 2014/04/406b6f4a-c4b9-11e3-81ee-06a3579b0dab/css/images/bg_app.png
> http://stan.mxp2098.com/maxpower-static/templates/
> 2014/04/406b6f4a-c4b9-11e3-81ee-06a3579b0dab/css/style.css
> http://stan.mxp2098.com/maxpower-static/templates/
> 2014/04/406b6f4a-c4b9-11e3-81ee-06a3579b0dab/t2/css/style.css
>
> "/maxpower-static/" lenght is exactly 17, but why splitted two http_uri
> content ?
>
> Maybe replace with?
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PUP
> Win32.SoftPulse Retrieving data"; flow:established,to_server;
> content:"GET"; http_method; content:"/maxpower-static/templates/";
> depth:27; http_uri; content:!"Referer|3a|"; http_header; reference:md5,
> 4aa02ca6a3f04cf445924a6d657d10e5; classtype:trojan-activity; sid:2019143;
> rev:3;)
>
> Regards
> @Rmkml
>
>
> On Wed, 10 Sep 2014, waldo kitty wrote:
>
>  On 9/10/2014 4:06 PM, rmkml wrote:
>>
>>>  Thx Community and @EmergingThreats team,
>>>
>>>  Could you share url with this sig please ?
>>>
>>>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>>> PUP
>>>  Win32.SoftPulse Retrieving data"; flow:established,to_server;
>>>  content:"GET";
>>>  http_method; content:"/maxpower-static/"; http_uri; fast_pattern:only;
>>> content: "templates/"; offset:17; depth:10; http_uri; content:
>>> content:!"Referer|3a|";
>>>  http_header; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5;
>>>  classtype:trojan-activity; sid:2019143; rev:2;)
>>>
>>>  because I am curious with offset/depth.
>>>
>>
>> if i'm reading references.conf correctly, that url would be
>>
>> http://www.threatexpert.com/report.aspx?md5=
>> 4aa02ca6a3f04cf445924a6d657d10e5
>>
>> i don't know how to get to the actual item, though...
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140910/3b19d215/attachment-0001.html>


More information about the Emerging-sigs mailing list