[Emerging-Sigs] Proposed change to Gh0st rules for Suricata

Duane Howard duane.security at gmail.com
Wed Apr 10 13:24:46 HDT 2019 

We see a number of FP's on old Gh0st rules, sometimes on TLS traffic that
Suricata failed to detect, and sometimes for online games or streaming
services.

In all of these cases the alert is based on the packet alone, and the hit
is usually waay down pretty far into a stream, but these rules that are
looking for content matches that *should* be at the begining of a stream (I
think). If that's the case, then I have a proposed modification below to
use *tcp-stream* and the *stream_size* keywords to avoid matching on single
packets. This proposal should probably be applied to a number of the
"PCRat/Gh0st CnC traffic (OUTBOUND) ##" rules.

Does this seem sane?

./d

alert *tcp* $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor
family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established;
*dsize:>11;* content:"|7a 98|"; offset:8; depth:2;
byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little;
byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative;
reference:url,
www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz;
reference:url,
www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231;
reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity;
sid:2018485; rev:3; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity
Critical, created_at 2014_05_19, malware_family Gh0st, malware_family
PCRAT, updated_at 2016_07_01;)

alert *tcp-stream* $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32";
flow:to_server,established; *stream_size:server,>,11;* content:"|7a 98|";
offset:8; depth:2; byte_test:4,<,65535,0,little;
byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning,
post_offset -1; isdataat:!2,relative; reference:url,
www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz;
reference:url,
www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231;
reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity;
sid:2018485; rev:3; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity
Critical, created_at 2014_05_19, malware_family Gh0st, malware_family
PCRAT, updated_at 2016_07_01;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190410/35d7b485/attachment.html>

More information about the Emerging-sigs mailing list