neonprimetime security , just trying to help: Snort

Showing posts with label Snort. Show all posts

Monday, December 26, 2016

1:41083 BLACKLIST suspicious .bit dns query

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this dns query blacklist alert didn't include documentation.

(1:41083) BLACKLIST suspicious .bit dns query

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST suspicious .bit dns query"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|bit|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; classtype:trojan-activity; sid:41083; rev:1; )

If I had to guess I think it's related to the .bit tld or something similar which stated.

Per the reddit The advantage to owning a .bit domain is that no government or third-party can have your DNS interrupted, it is truly a P2P DNS system with no possibility of censorship.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:41088 MALWARE-CNC Win.Trojan.MrWhite Win.Trojan.Ostap out bound communication attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41089) MALWARE-CNC Win.Trojan.Ostap out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ostap out bound communication attempt"; flow:to_server,established; content:"/ostap.php"; fast_pattern:only; http_uri; content:"/ostap.php"; depth:20; offset:2; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41089; rev:1; )

(1:41088) MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MrWhite out bound communication attempt"; flow:to_server,established; content:"/GOLD/bender.php"; http_uri; content:"User-Agent: Mr.White|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41088; rev:1; )

If I had to guess I think it's related to this JScript backdoor or something similar which stated.

Per the article it says MrWhite can profile the victim systems for the presence of running POS software before dropping further POS payloads. Related to financially-motivated threat actor group with access to banking Trojans and other malware, including Dridex, Ursnif, Tinba, and the point-of-sale (POS) malware AbaddonPOS with its loader, TinyLoader.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:41035 1:41084 EXPLOIT-KIT Sundown Exploit Kit redirection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these exploit kit alerts didn't include documentation.

(1:41035) EXPLOIT-KIT Sundown Exploit Kit redirection attempt

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"EXPLOIT-KIT Sundown Exploit Kit redirection attempt"; flow:established,to_server; content:"/noone.php"; depth:10; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:41035; rev:1; )

(1:41084) EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Sundown Exploit kit landing page obfuscation detected"; flow:to_client,established; file_data; content:"|22|script|22|"; nocase; content:"|22|createE|22|"; within:50; nocase; content:"|22|lement|22|"; within:20; nocase; content:"|22|type|22|"; within:50; nocase; content:"|22|text/j|22|"; within:50; nocase; content:"|22|avascript|22|"; within:50; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-user; sid:41084; rev:1; )

If I had to guess I think it's related to the Sundown Exploit Kit or something similar which stated.

Per the article, it is composed of a couple of parts: a landing page and an exploit page with a payload. This landing page then probes the user's system to determine if they are potentially vulnerable and then delivers an exploit page with a malicious payload.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:41034 MALWARE-CNC Win.Trojan.Sality variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41034) MALWARE-CNC Win.Trojan.Sality variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/images/image.gif"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; depth:12; http_header; content:!"proxy"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:41034; rev:1; )

If I had to guess I think it's related to this Sality Gambling campaign or something similar which stated.

It appears to the image.gif callouts download the real payload. The article also mentions Sality has incorporated the use of rootkit functions as part of the malware family’s ongoing evolution. Sality found that it delivered fake-AV malware as the final payload, able to infect not only local drives but also USB devices and network folders.
The virus total link above shows many solid hits of Win32/Sality.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:41033 MALWARE-CNC Win.Trojan.Proteus outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41033) MALWARE-CNC Win.Trojan.Proteus outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proteus outbound connection"; flow:to_server,established; content:"/api/register"; fast_pattern:only; http_uri; content:"{|22|m|22|:|22 5C 5C|"; depth:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/d23b4a30f6b1f083ce86ef9d8ff434056865f6973f12cb075647d013906f51a2/analysis/; classtype:trojan-activity; sid:41033; rev:1; )

If I had to guess I think it's related to this link per the virustotal comments botnet Proteus or something similar which stated.

It appears to make callouts to an api for the C&C server. It appears to have keyloggers capabilities among other things.
The virus total link above shows several generic hits like Trojan.KeyLogger, TrojanDropper.Dapato, Win32.Trojan.WisdomEyes,Trojan.Dynamer, etc.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:41031 MALWARE-CNC Win.Trojan.Athena variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan connection attempts snort alert didn't include documentation.

(1:41031) MALWARE-CNC Win.Trojan.Athena variant outbound connection

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Athena variant outbound connection"; flow:to_server,established; content:"User-Agent: Go-http-client"; fast_pattern:only; http_header; content:"/cmd/"; depth:5; http_uri; pcre:"/^\x2Fcmd\x2F[\-a-zA-Z0-9_+]{650,}={0,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/af385c983832273390bb8e72a9617e89becff2809a24a3c76646544375f21d14/analysis/; classtype:trojan-activity; sid:41031; rev:1; )

If I had to guess I think it's related to this malware analysis of a file called msguard.exe or something similar which stated.

It appears to make callouts to .onion addresses with cmd parameters that are likely sending or receiving information to a C&C server.
The virus total link above shows several generic hits like Win.Trojan.Athena, W32.Clodece.Trojan, Trojan.Dynamer, Trojan.Razy, etc.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Wednesday, December 14, 2016

1:40912 1:40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these trojan download attempt snort alert didn't include documentation.

1 40913 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_server,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40913; rev:1; ) 1 40912 MALWARE-OTHER Win.Trojan.Flokibot variant download attempt
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_client,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40912; rev:1; )

If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

Floki Bot is a malware variant that has recently been offered for sale on various darknet markets. It is based on the same codebase that was used by the infamous Zeus trojan. Floki Bot claims to feature several new capabilities making it an attractive tool for criminals. Talos also observed the introduction of new code that allows Floki Bot to make use of the Tor network.
Malwarebytes also has a good writeup on the malware.
The virus total link above shows several generic hits like Win.Trojan.Flokibot, Trojan-Spy.Zbot, Trojan.Win32.DownLoader, etc.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this sednit rootkit alert didn't include documentation.

1 40911 MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:1; )

If I had to guess I think it's related to the Sednit hacking group and perhaps a rootkit they developed or something similar which stated.

the notorious Sednit hacking group which has targeted over 1000 high-profile individuals with phishing attacks and zero-day exploits. The Sednit gang, also known as APT28, Fancy Bear, Pawn Storm and Sofacy, are highly experienced, and have been engaged in criminal activity since at least 2004. They have developed sophisticated attacks that bypass the typical network security at compromised organizations.
Another blog mentioned The obvious goal of the SEDNIT-related spyware is to steal personal data, record audio, make screenshots, and send them to a remote command-and-control (C&C) server.
The virus total link above shows several generic hits like TROJ_SEDNIT, Rootkit.BlackEnergy, Trojan-Dropper.Win32.Agent, etc.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this locky ransomware alert didn't include documentation.

1 40910 MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/information.cgi"; depth:16; fast_pattern; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:40910; rev:1; )

If I had to guess I think it's related to Lockys massive spray and pray spam campaign or something similar which stated.

The encrypting malware then goes on to connect to a number of hard-coded IP addresses whose purpose is to enroll the affected computer into a botnet: http://xxxxxx / information.cgi ....

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this Disttrack malware snort alert didn't include documentation.

1 40906 MALWARE-CNC Win.Malware.Disttrack variant outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Malware.Disttrack variant outbound connection"; flow:to_server,established; content:"/category/page.php"; http_uri; content:"shinu="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842/analysis/; classtype:trojan-activity; sid:40906; rev:1; )

If I had to guess I think it's related to Disttrack malware that spreads across the network destroying data or something similar which stated.

Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The data in “shinu” parameter is a combination of the system’s tickcount, local IP address, operating system version, keyboard layout and the contents of %WINDOWS%\inf\netimm173.pnf. The C2 server can respond to this HTTP request
The virus total link provided has hits on things such as Trojan/Win32.DistTrack , DistTrack!comm , etc.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this default credential alert didn't include documentation.

1 40905 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username="; http_client_body; content:"j_password=weblogic"; http_client_body; pcre:"/j_username=(root|system)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40905; rev:1; )

1 40904 SERVER-WEBAPP Oracle Weblogic default credentials login attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle Weblogic default credentials login attempt"; flow:to_server,established; content:"/j_security_check"; fast_pattern:only; http_uri; content:"j_username=weblogic"; http_client_body; content:"j_password"; http_client_body; pcre:"/j_password=(welcome1|weblogic|admin)/P"; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:40904; rev:1; )

If I had to guess I think it's related to Oracles documenation on default credentials for WebLogic or something similar which stated.

In the tutorial the username is weblogic and the password is Welcome1.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:40991 MALWARE-CNC Linux.DDoS.D93 outbound connection

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created this DDoS snort alert didn't include documentation.

(1:40991) MALWARE-CNC Linux.DDoS.D93 outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5; dsize:25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:1; ) v:1; )

If I had to guess I think it's related to this article on Linux DDoS 93 or something similar which stated.

Crooks are hijacking devices running Linux-based operating systems and use them to launch DDoS attacks at their behest. Dr.Web security researchers say the trojan seems to infect Linux machines via the Shellshock vulnerability, still unpatched in a large number of devices.

The virus total link in the alert above has hits for Linux.DDoS.93 , Linux.DDOS.Flood.W , etc.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

1:41018 1:41019 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt

I previously wrote about documentation-less snort rules. Below is my attempt to fill in some of those gaps.

Whomever created these 2 new sql injection snort alerts for nagios didn't include documentation.

1 41019 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_uri; pcre:"/[?&]host=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41019; rev:1; )

1 41018 SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt"; flow:to_server,established; content:"nagiosxi/includes/components/nagiosim/nagiosim.php"; fast_pattern:only; http_uri; content:"host="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; pcre:"/[?&]host=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:41018; rev:1; )

If I had to guess I think it's related to this disclosure or something similar which stated.

The ‘host’ and ‘service’ GET parameters in the ‘nagiosim.php’ page are vulnerable to SQL injection via error-based payloads

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Documentation-less Snort Rules

Has anybody else noticed that what seems like the majority of new snort rules that come out and you can use in an IDS (intrusion detection systems) like Sourcefire don't have any documentation? You're stuck with

Summary: This rule does not have documentation

Or if you're lucky some link to a virus total page with no other explanation.

Well I thought it might be interesting to try to collect some brief links or documentation around some documentation-less snort rules. I did not write the rules, I have no insight into who did or why they did. I did not write the documentation either, I simply collected the information and put it in a spot where maybe if you're lucky and google searching why a snort rule fired and what it means, then I was just hoping this documentation would be helpful for you. Enjoy.

Sample initial documentation I put together for the documentation-less:
- SERVER-WEBAPP Nagios XI Incident Manager SQL command injection attempt 41018 41019
- MALWARE-CNC Linux.DDoS.D93 outbound connection 40991
- SERVER-WEBAPP Oracle Weblogic default credentials login attempt 40905 40905
- MALWARE-CNC Win.Malware.Disttrack variant outbound connection 40906
- MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt 40910
- MALWARE-CNC Win.Rootkit.Sednit variant outbound connection attempt 40911
- MALWARE-OTHER Win.Trojan.Flokibot variant download attempt 40912 40913

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Friday, September 16, 2016

Snort Rules Monitoring User-Agents

I think some Snort rules like these could be used to monitor specific user-agents that sometimes are common with recon, vulnerability scans, and exploits.

WPScan

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"WPScan"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*WPScan/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string WPScan - vulnerability scanner"; classtype:network-scan; rev:1; )

Wget

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Wget"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Wget/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Wget non-browser"; classtype:network-scan; rev:1; )

Synapse

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Synapse"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Synapse/Hm"; metadata:service http; reference:url,http://www.spambotsecurity.com/forum/viewtopic.php?f=43&t=2876; msg:"BLACKLIST User-Agent known malicious user-agent string Synapse - SQLi IoC"; classtype:network-scan; rev:1; )

SqlMap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"sqlmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*sqlmap/Hm"; metadata:service http; reference:url,http://sqlmap.org/; msg:"BLACKLIST User-Agent known malicious user-agent string sqlmap - vulnerability scanner"; classtype:network-scan; rev:1; )

Python

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Python-urllib"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20Python/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string Python non-browser"; classtype:network-scan; rev:3; )

PycURL

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"PycURL"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*PycURL/Hm"; metadata:service http; reference:url,http://pycurl.io/; msg:"BLACKLIST User-Agent known malicious user-agent string PycURL - non Browser"; classtype:network-scan; rev:1; )

Paros

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Paros"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Paros/Hm"; metadata:service http; reference:url,http://sectools.org/tool/paros/; msg:"BLACKLIST User-Agent known malicious user-agent string Paros - vulnerability scanner"; classtype:network-scan; rev:1; )

OpenVAS

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"OpenVAS"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*OpenVAS/Hm"; metadata:service http; reference:url,http://www.openvas.org/; msg:"BLACKLIST User-Agent known malicious user-agent string OpenVAS - vulnerability scanner"; classtype:network-scan; rev:2; )

Nmap

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nmap"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nmap/Hm"; metadata:service http; reference:url,https://nmap.org/book/nse.html; msg:"BLACKLIST User-Agent known malicious user-agent string Nmap - scanner"; classtype:network-scan; rev:2; )

Nikto

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Nikto"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Nikto/Hm"; metadata:service http; reference:url,http://sectools.org/tool/nikto/; msg:"BLACKLIST User-Agent known malicious user-agent string Nikto - vulnerability scanner"; classtype:network-scan; rev:1; )

Kazehakase

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"Kazehakase"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*Kazehakase/Hm"; metadata:service http; reference:url,https://en.wikipedia.org/wiki/Kazehakase; msg:"BLACKLIST User-Agent known malicious user-agent string Kazehakase - suspicious browser"; classtype:network-scan; rev:1; )

curl

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:xxx; gid:1; flow:established,to_server; content:"curl"; http_header; fast_pattern:only; pcre:"/^User\x2dAgent\x3a\x20[^\r\n]*curl/Hm"; metadata:service http; msg:"BLACKLIST User-Agent known malicious user-agent string curl - non browswer"; classtype:network-scan; rev:1; )

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Friday, August 19, 2016

TRUFFLEHUNTER Snort Rules

What are they? These links give some background seclist and stack exchange.

That rule is a "truffle," which means it detects a security incident for which we unfortunately cannot provide additional information due to NDA restrictions. TruffleHunter rules are for

vulnerabilities that have been discovered by Talos, disclosed to the vendor, but the vendor has not yet issued a patch.

Example:

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Thursday, November 19, 2015

ZeroAccess Snort Rule 1:26910 Walk-thru

This snort rule triggered from this post request and I thought I'd walk through why it triggered.

$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS means local to remote on web ports

content:"POST"; http_method means http post (so typically like when a user hits a submit button on a website ... but many ways to post data back to server)

content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; means http header must contain the text '128' followed by newline \r\n

content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; means HTTP/1. and User-Agent must be close together

content:!"|0D 0A|Accept"; http_header; means doesn't contain the word Accept in header

pcre:"/[^ -~\x0d\x0a]{4}/P"; means it must match this regular expression ...
' -~' means "printable characters" .... so if you look at http://www.asciitable.com/ and go from the 2nd column to the end
\x0d and \x0a are the newlines again
the ^ means not
and the {4} means 4 times
so i'd read it as saying it contains 4 non-printable characters in a row
which based on the title 'ZeroAccess Encrypted 128-byte POST No Accept Headers' i'm wondering if that's a way they try to indicate encryption

Other good links for ZeroAccess are Symantec explanation and Symantec white paper

More about neonprimetime

Top Blogs of all-time

Friday, November 13, 2015

Win.Trojan.Boaxxe Snort Rule

Quick little run down of a Boaxxe Snort rule and why it fired. Hopefully it's useful for those researching Boaxxe as well as for those just trying to understand Snort rules. Sample pasted here.

Let's say an end user navigates to this url.

GET http://lax1.ib.adnxs.com/vevent?e=wqT_3QLhBPB-WAIAAAIA1gAFCMyakrIFEJDU8s2rh9LdRRiJzZngzonb7EggASotCVQax2dnmSRAETXuzW-YICJAGQAAAAAAAFBAIYKGd6JWSkZAKdoYn7h5VElAMNie3gE4ywNAhhNIAlCiiY4RWLKuH2AAaMDIAXi55wOAAQGKAQNVU0SSAQEG8FqYAawCoAH6AagBAbABALgBAsABBcgBANABANgBAOABAPABAPoBBTM2MzIwigJYdWYoJ2EnLCAzNjE0NDIsIDE0NDczMzMxOTcpO3VmKCdjJywgMTA2MzA4MDEsQh4AAHIBOhw1ODgyMTQ2LDIeAPCNkgLBASF5Q3NKV3dpUjdZZ0ZFS0tKamhFWUFDQ3lyaDh3QURnQVFBQkloaE5RMko3ZUFWZ0FZT2tEYUFCd0JuaUlRWUFCQ0lnQmlFR1FBUUdZQVFHZ0FRR29BUU93QVFDNUFkb1luN2g1VkVsQXdRSGFHSi00ZVZSSlFNa0IwMkVvZGhBMjhEX1pBUUFBQQEDZFBBXzRBSEY3UTdxQVFjeU5EazRNelkyOVFFAR58QWdBSUJpQUstdnBnQmtBSUJtQUlLmgIdIXBRVkVOUWkyxADwenNxNGZJQUEu2AKVBOAC24Qd6gIkaHR0cDovL215LnhmaW5pdHkuY29tLz9jaWQ9Y3VzdCZ0cz0zgAMAiAMBkAPdqwOYAwygAwGqAwCwAwC4AwDAA6wCyAMA2APmllbgAwDoAwDwAwD4AwOABACSBAgvcnViaWNvbpgEAA..&s=ef52c870b9d5df7c528b188c673193e6a6cb7d3d&referrer=http%3A%2F%2Fmy.xfinity.com%2F%3Fcid%3Dcust%26ts%3D3&type=nv&nvt=5&bw=0&bh=0&sw=1536&sh=864&pw=1536&ph=3662&ww=1519&wh=719&ft=2&sv=27&tv=view5-1&ua=ie9&pl=win&x=1447333198455830943,279999,v,win,ie9,view5-1,0,,2 HTTP/1.1
Accept: */*
Origin: http://my.xfinity.com
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: lax1.ib.adnxs.com
Proxy-Connection: Keep-Alive
Pragma: no-cache

And this snort rule triggered on your IDS. You might ask why?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; urilen:485<>520; content:!"/"; offset:1; http_raw_uri; content:!"."; http_uri; content:"%2f"; http_raw_uri; content:"%2b"; http_raw_uri; content:"|20|MSIE|20|"; fast_pattern:only; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30495; rev:1; )

Let's pick it apart below.

tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
flow:to_server,established;

It must be tcp traffic. It must be from your internal network outbound. It must be web ports (80, 443, etc.). It must be an established connection to server (same as from client). Yep all those match so far.

urilen:485<>520;

Must be a very long url (between 485 and 520 characters). Yep.

content:!"/"; offset:1; http_raw_uri;

Must not contain a / (essentially a sub folder in the url).. Yep still good.

content:!"."; http_uri;

Must not contain a . (essentially a file extension like .php, .aspx, etc. in the url). Yep still good.

content:"%2f"; http_raw_uri;

Must contain an html encoded / (written exactly as %2f). Yep still good.

content:"%2b"; http_raw_uri;

Must contain an html encoded + (written exactly as %2b). Yep still good.

content:"|20|MSIE|20|"; fast_pattern:only; http_header;

Must contain MSIE in the header. This likely means Internet Explorer in the User Agent. Yep still good.

content:!"Referer:"; http_header;

Must not contain a Referrer in the header. Meaning the user did not click from a different page to this, instead it was a direct call. Yep good.

metadata:impact_flag red, service http;
classtype:trojan-activity;

The rule is over, this is just metadata used by Snort and the IDS to categorize this rule.

reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf;

This is amazing documentation for this rule. I wish more snort rule developers would supply good documentation!

sid:30495; rev:1;

This is just a unique id for the snort rule, followed by the revision number. In this case it's the 1st version of this rule.

More about neonprimetime

Top Blogs of all-time