[Emerging-Sigs] Proposed change to Gh0st rules for Suricata

Duane Howard duane.security at gmail.com
Mon Apr 22 06:58:43 HDT 2019 

Oh, and I also noticed that sid:2017548 is not restricted with
flow:to_server,established like the rest, but seems like it should be.

On Fri, Apr 12, 2019 at 4:49 PM Travis Green <tgreen at emergingthreats.net>
wrote:

> Thanks Duane, I'll modify these for Monday's release.
>
> -T
>
> On Wed, Apr 10, 2019 at 4:25 PM Duane Howard <duane.security at gmail.com>
> wrote:
> >
> > We see a number of FP's on old Gh0st rules, sometimes on TLS traffic
> that Suricata failed to detect, and sometimes for online games or streaming
> services.
> >
> > In all of these cases the alert is based on the packet alone, and the
> hit is usually waay down pretty far into a stream, but these rules that are
> looking for content matches that *should* be at the begining of a stream (I
> think). If that's the case, then I have a proposed modification below to
> use tcp-stream and the stream_size keywords to avoid matching on single
> packets. This proposal should probably be applied to a number of the
> "PCRat/Gh0st CnC traffic (OUTBOUND) ##" rules.
> >
> > Does this seem sane?
> >
> > ./d
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor
> family PCRat/Gh0st CnC traffic (OUTBOUND) 32"; flow:to_server,established;
> dsize:>11; content:"|7a 98|"; offset:8; depth:2;
> byte_test:4,<,65535,0,little; byte_test:4,<,65535,4,little;
> byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!2,relative;
> reference:url,
> www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz;
> reference:url,
> www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231;
> reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity;
> sid:2018485; rev:3; metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity
> Critical, created_at 2014_05_19, malware_family Gh0st, malware_family
> PCRAT, updated_at 2016_07_01;)
> >
> > alert tcp-stream $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
> Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 32";
> flow:to_server,established; stream_size:server,>,11; content:"|7a 98|";
> offset:8; depth:2; byte_test:4,<,65535,0,little;
> byte_test:4,<,65535,4,little; byte_jump:4,0,little,from_beginning,
> post_offset -1; isdataat:!2,relative; reference:url,
> www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz;
> reference:url,
> www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231;
> reference:md5,9214f110f356e0ccccbab16266ae2a06; classtype:trojan-activity;
> sid:2018485; rev:3; metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity
> Critical, created_at 2014_05_19, malware_family Gh0st, malware_family
> PCRAT, updated_at 2016_07_01;)
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> >
>
>
> --
> PGP:
> travisgreen.net/tgreen at emergingthreats.net.asc
> travisgreen.net/travis at travisgreen.net.asc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190422/dca532cd/attachment.html>

More information about the Emerging-sigs mailing list