[Emerging-Sigs] Current Events: Detection for Kuluoz spam, embedded link

Darien Huss dhuss at emergingthreats.net
Mon Sep 15 11:08:45 EDT 2014


Unfortunately this sig will FP a lot, and Kuluoz/Asprox is well covered by
2017895.

Regards,
Darien

On Sat, Sep 13, 2014 at 2:48 PM, Darien Huss <dhuss at emergingthreats.net>
wrote:

> Thanks Ben/Rmkml, we'll take a look at this and if all is good get it into
> QA for Monday.
>
> Regards,
> Darien
>
> On Fri, Sep 12, 2014 at 6:29 PM, Ben Koenig <koenigb at gmail.com> wrote:
>
>> 2nd minor tweak:
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS You
>> have voice message Kuluoz.D URI"; flow:established,to_server;
>> content:".php?"; http_uri; fast_pattern:only;
>> pcre:"/\.php\?[a-z]+=[a-zA-Z0-9\x2b\x5c\x2f]{22}$/U"; reference:url,
>> www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/;
>> classtype:trojan-activity; sid:XxXxXxXx; rev:1;)
>>
>> Updated with $/U at end of PCRE.
>>
>> -Ben.
>>
>> On Fri, Sep 12, 2014 at 3:13 PM, Ben Koenig <koenigb at gmail.com> wrote:
>>
>>> minor tweak:
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
>>> You have voice message Kuluoz.D URI"; flow:established,to_server;
>>> content:".php?"; http_uri; fast_pattern:only;
>>> pcre:"/\.php\?[a-z]+=[a-zA-Z0-9\x2b\x5c\x2f]{22}"; reference:url,
>>> www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/;
>>> classtype:trojan-activity; sid:XxXxXxXx; rev:1;)
>>>
>>> This is very close to SID: 2018589 from June.
>>>
>>>
>>>
>>> On Fri, Sep 12, 2014 at 3:07 PM, Ben Koenig <koenigb at gmail.com> wrote:
>>>
>>>> I'm pretty sure I did this right but, please let me know if I didn't.
>>>> This is related to a spam campaign that shows up as Kuluoz.D: Email subject
>>>> was "You have voice message".
>>>>
>>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS
>>>> You have voice message Kuluoz.D URI"; flow:established,to_server;
>>>> content:".php?"; http_uri; fast_pattern:only;
>>>> pcre:"/\.php\?[a-z]+=[a-zA-Z0-9/+]{22}"; reference:url,
>>>> www.virustotal.com/en/file/fbfcb033627e7c26c82b3f69c52f0592f203661cf49d60fb017ae7532984ae2b/analysis/;
>>>> classtype:trojan-activity; sid:XxXxXxXx; rev:1;)
>>>>
>>>>
>>>> I didn't see any of the existing Asprox/Kuluox rules matching that in
>>>> our set.
>>>>
>>>> -Thanks,
>>>> Ben.
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140915/636be9af/attachment.html>


More information about the Emerging-sigs mailing list