[Emerging-Sigs] Proposed change to Gh0st rules for Suricata
Travis Green
tgreen at emergingthreats.net
Fri Apr 12 14:49:34 HDT 2019
Thanks Duane, I'll modify these for Monday's release.
-T
On Wed, Apr 10, 2019 at 4:25 PM Duane Howard <duane.security at gmail.com> wrote:
>
> We see a number of FP's on old Gh0st rules, sometimes on TLS traffic that Suricata failed to detect, and sometimes for online games or streaming services.
>
> In all of these cases the alert is based on the packet alone, and the hit is usually waay down pretty far into a stream, but these rules that are looking for content matches that *should* be at the begining of a stream (I think). If that's the case, then I have a proposed modification below to use tcp-stream and the stream_size keywords to avoid matching on single packets. This proposal should probably be applied to a number of the "PCRat/Gh0st CnC traffic (OUTBOUND) ##" rules.
>
> Does this seem sane?
>
> ./d
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established; dsize:>11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity; sid:2018485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)
>
> alert tcp-stream $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established; stream_size:server,>,11; content:"|7a 98|"; offset:8; depth:2; byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity; sid:2018485; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2014_05_19, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>
--
PGP:
travisgreen.net/tgreen at emergingthreats.net.asc
travisgreen.net/travis at travisgreen.net.asc
More information about the Emerging-sigs
mailing list