Thursday, November 19, 2015

ZeroAccess Snort Rule 1:26910 Walk-thru

This snort rule triggered from this post request and I thought I'd walk through why it triggered.

$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS means local to remote on web ports

content:"POST"; http_method means http post (so typically like when a user hits a submit button on a website ... but many ways to post data back to server)

content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; means http header must contain the text '128' followed by newline \r\n

content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; means HTTP/1. and User-Agent must be close together

content:!"|0D 0A|Accept"; http_header; means doesn't contain the word Accept in header

pcre:"/[^ -~\x0d\x0a]{4}/P"; means it must match this regular expression ...
' -~' means "printable characters" .... so if you look at and go from the 2nd column to the end
\x0d and \x0a are the newlines again
the ^ means not
and the {4} means 4 times
so i'd read it as saying it contains 4 non-printable characters in a row
which based on the title 'ZeroAccess Encrypted 128-byte POST No Accept Headers' i'm wondering if that's a way they try to indicate encryption

Other good links for ZeroAccess are Symantec explanation and Symantec white paper

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. ali.txt php injection walk-thru
  3. apache struts2 rce walk-thru

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment