I am getting a few WEB-MISC Invalid HTTP Version String alerts. What is
your experience with this alert?
Jacob Goodson, CISA
Franciscan Missionaries of Our Lady Health System
Information Security Project Manager
225-765-6926
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of
snort-sigs-request@lists.sourceforge.net
Sent: Wednesday, September 29, 2004 10:34 PM
To: snort-sigs@lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #1118 - 7 msgs
Send Snort-sigs mailing list submissions to
snort-sigs@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
snort-sigs-request@lists.sourceforge.net
You can reach the person managing the list at
snort-sigs-admin@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."
Today's Topics:
1. Bleedingsnort.com Daily Update (matt@infotex.com)
2. Re: bleedingmalware sigs and severity (Burak DAYIOGLU)
3. Re: How to detect Skype? (Jason Haar)
4. Mime type filtering when looking for GDI+ (Lazarakis, Dan)
5. Re: Mime type filtering when looking for GDI+ (Russell Fulton)
6. New bleeding virus rules (Korgo.P) (Nick Hatch)
7. Bleedingsnort.com Daily Update (matt@infotex.com)
--__--__--
Message: 1
Date: Tue, 28 Sep 2004 20:00:02 -0500
From: matt@infotex.com
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
[***] Results from Oinkmaster started Tue Sep 28 20:00:01 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-virus.rules (1):
alert tcp any any -> any any (msg:"BLEEDING-EDGE GDI Exploit - Worm
1 Successful Execution"; content:"USER bawz"; nocase;
reference:url,www.easynews.com/virus.txt; classtype:trojan-activity;
sid:2001332; rev:2;)
[---] Disabled rules: [---]
-> Disabled in bleeding.rules (1):
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE libPNG - Remotely exploitable stack-based buffer overrun
in png_handle_tRNS";
pcre:"/\x89\x50\x4E\x47\x0D\x0A\x1A\x0A([\s\S]){17}\x03/Ri"; content:"tRNS";
byte_jump:4, -8, relative, big; pcre:"/([\s\S]){8}/R";
pcre:"/([a-zA-Z]){2}[A-Z][a-zA-Z]/R";
reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html;
classtype:misc-activity; sid:2001203; rev:1;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-sid-msg.map (1):
2001332 || BLEEDING-EDGE GDI Exploit - Worm 1 Successful Execution
|| url,www.easynews.com/virus.txt
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (1):
2001203 || BLEEDING-EDGE libPNG - Remotely exploitable stack-based
buffer overrun in png_handle_tRNS ||
url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html
[*] Added files: [*]
None.
--__--__--
Message: 2
Date: Wed, 29 Sep 2004 09:44:00 +0300
From: Burak DAYIOGLU <dayioglu@metu.edu.tr>
To: Caracal GH <ghostettler@caracal.ch>
CC: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] bleedingmalware sigs and severity
Caracal GH wrote:
Burak, Matt and David,
To resume, there is a choice to be done between in-rule prioritizing and
classification.
But, the less burden for admins and the highest flexibility would be to
ADD (do not shout at me, pls...) a new category. Leave existing
trojan-activity and have a new one called, for example low-impact-trojan (or
whatever you see fit). This will allow admins to simply edit the
classification.config to add this new class and give the priority they want.
I totally agree with your suggestion, I was so panicked that I didn't
even think about suggesting a solution but just yelled. Trojans *may* be
grouped in two priority classes better the SigNazi (<wink>) choose the
best names if he acknowledges the requirement.
And do you use oink to update your living classification.config ? Do not
you use a real classification.config that you update manually and another
one which is oinked (but not used) just to see what changes are ongoing ?
IMHO, should be the config of choice...
yes. ;)
-bd
--__--__--
Message: 3
Date: Thu, 30 Sep 2004 00:55:01 +1200
From: Jason Haar <Jason.Haar@trimble.co.nz>
Organization: Trimble Navigation Ltd.
To: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] How to detect Skype?
Hernandez Huerta Higinio wrote:
Who can help me?
We would like to detect Skype connections by TCP 80 port, does somebody
know
a snort rule?
Why only port 80? skype uses almost any port number.
In fact, Skype is about the worst application there is for writing IDS
rules for. It appears to start as follows:
Attempt TCP connection on variety of ports to a variety of Internet IP
addresses - 60-80 in total (?,sorry it's been a few weeks since I looked
- so not sure) which are the Skype "Addressbook" servers
If that doesn't work, it'll also try over port 80 and port 443 - trying
to find a way out
If that doesn't work, it will look at proxy server settings (even
reading HTTP_PROXY under Unix!) and will route via existing proxy servers
Then when a "conversation" starts, it'll try talking P2P to the other
host directly using UDP (random ports), TCP (random ports), TCP-fixed
(port 54045 by default)
If that fails, it'll try routing the call via the Addressbook servers
TCP port 443 (i.e. it looks like HTTPS traffic)
If that fails, it'll route as above via proxy server settings
On top of that, all traffic is encrypted using some proprietary method.
So you can't see it very well via pattern-matching rules.
On top of all that(!!), it doesn't remember what previously worked. We
have egress filtering and proxy servers (so only routing via "HTTPS" via
our proxy works), and yet our firewalls are continually blocking TCP and
UDP packets from internal Skype users (thankfully only me at the moment
:-).
I wish once it found that only proxy-connections worked, that it would
stop trying the other methods (or at least stick to one port). It's
really ruining any Event Correlation techniques I've been doing with our
firewall logs :-(
BTW: I have had some success with catching the voice traffic with the
following rule.
alert tcp $HOME_NET any -> any any (msg:"P2P CHAT Skype VoIP
Initialization";flow:to_server,established;
content:"|8046010301002d0000001000000500000400000a00000900006400006200000800
00030000060100800700c0030080060040020080040080|";depth:112;classtype:policy-
violation;sid:1000013;
rev:1;)
Jason
--__--__--
Message: 4
Date: Wed, 29 Sep 2004 11:39:33 -0700
From: "Lazarakis, Dan" <DLazarak@wcb.bc.ca>
To: <snort-sigs@lists.sourceforge.net>
Subject: [Snort-sigs] Mime type filtering when looking for GDI+
This is a multi-part message in MIME format.
------_=_NextPart_001_01C4A653.AA2FFD3B
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
FYI only
I noticed on incidents.org that Judy Novak created some snort sigs the
other day (Spet 22) to detect malicious jpegs. I thought everyone should
know that the mime type/content type they look for is 'image/jp*'. But
the world needs to be aware that "image/pjp*" is also a valid mime type
for jpegs. Matter of fact, I've been seeing a lot of "image/pjpeg" files
traversing our perimeter. Where this mime type comes from is a mystery
as it is not listed in some of the HTTP resources I've searched. Rumor
has it that Japanese IIS servers generate this mime type, but as I said,
it is rumor.
------_=_NextPart_001_01C4A653.AA2FFD3B
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7226.0">
<TITLE>Mime type filtering when looking for GDI+ </TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=3D2 FACE=3D"Arial">FYI only</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Arial">I noticed on incidents.org that Judy =
Novak created some snort sigs the other day (Spet 22) to detect =
malicious jpegs. I thought everyone should know that the mime =
type/content type they look for is 'image/jp*'. But the world needs to =
be aware that "image/pjp*" is also a valid mime type for =
jpegs. Matter of fact, I've been seeing a lot of "image/pjpeg" =
files traversing our perimeter. Where this mime type comes from is a =
mystery as it is not listed in some of the HTTP resources I've searched. =
Rumor has it that Japanese IIS servers generate this mime type, but as I =
said, it is rumor.</FONT></P>
</BODY>
</HTML>
------_=_NextPart_001_01C4A653.AA2FFD3B--
--__--__--
Message: 5
Subject: Re: [Snort-sigs] Mime type filtering when looking for GDI+
From: Russell Fulton <r.fulton@auckland.ac.nz>
To: "Lazarakis, Dan" <DLazarak@wcb.bc.ca>
Cc: snort-sigs@lists.sourceforge.net
Date: Thu, 30 Sep 2004 12:03:46 +1200
On Thu, 2004-09-30 at 06:39, Lazarakis, Dan wrote:
FYI only
I noticed on incidents.org that Judy Novak created some snort sigs the
other day (Spet 22) to detect malicious jpegs. I thought everyone
should know that the mime type/content type they look for is
'image/jp*'. But the world needs to be aware that "image/pjp*" is also
a valid mime type for jpegs. Matter of fact, I've been seeing a lot of
"image/pjpeg" files traversing our perimeter. Where this mime type
comes from is a mystery as it is not listed in some of the HTTP
resources I've searched. Rumor has it that Japanese IIS servers
generate this mime type, but as I said, it is rumor.
It is my considered opinion that any defencive measure based on MIME
types (or on file name/extensions) is fatally floored. Many products
(IE prominent amongst them) will figure out the type of a file
regardless of the MIME type or file name. Sigh...
Yes, this causes problems for things like snort and makes it much more
difficult to write effective rules that don't have lots of false
positives.
--
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand
--__--__--
Message: 6
Date: Wed, 29 Sep 2004 17:41:22 -0700
From: Nick Hatch <nick@restek.wwu.edu>
To: snort-sigs@lists.sourceforge.net
CC: mjonkman@infotex.com
Subject: [Snort-sigs] New bleeding virus rules (Korgo.P)
Noticed that there haven't been very many additions to the bleedingvirus
rules set lately, decided that it was time to contribute. I hope to
contribute more later.
These are the first rules I've written based off wire captures as
opposed to mail attachments or simple content searching, so any comments
are appreciated.
alert tcp $HOME_NET any -> any 445 (msg:"Korgo.P offering executable";
content:"|FF|SMB"; \ flow:to_server,established; depth:10;
content:"|58|http"; content:".exe"; nocase; within:36; \
reference:url,www.f-secure.com/v-descs/korgo_p.shtml; rev:1; sid:2800002;)
alert tcp $HOME_NET any -> any any (msg:"Korgo.P binary upload"; \
content:"|aa4f7ea86c90457d686868f0de687a68689768686868|"; \
reference:url,www.f-secure.com/v-descs/korgo_p.shtml; rev:1; sid:2800003;)
-Nick
--__--__--
Message: 7
Date: Wed, 29 Sep 2004 20:00:02 -0500
From: matt@infotex.com
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Bleedingsnort.com Daily Update
[***] Results from Oinkmaster started Wed Sep 29 20:00:02 2004 [***]
[+++] Added rules: [+++]
-> Added to bleeding-malware.rules (3):
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Ezula"; reference:url,www.ezula.com;
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html;
uricontent:"/MindSet5/install/ezinstall.exe"; nocase;
classtype:trojan-activity; sid:2001334; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Malware Ezula Installer Download";
reference:url,www.ezula.com;
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; content:"|65
5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|";
classtype:trojan-activity; sid:2001335; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Internet Optimizer Spyware Agent Upload";
uricontent:"/conf/xml/"; nocase; classtype:trojan-activity; sid:2001336;
rev:1;)
-> Added to bleeding-p2p.rules (1):
alert tcp $HOME_NET any -> any any (msg:"BLEEDING-EDGE P2P CHAT
Skype VoIP Initialization";flow:to_server,established;
content:"|8046010301002d0000001000000500000400000a00000900006400006200000800
00030000060100800700c0030080060040020080040080|"; depth:112;
classtype:policy-violation; sid:2001333; rev:1;)
[---] Disabled rules: [---]
-> Disabled in bleeding-virus.rules (1):
#alert tcp any any -> any any (msg:"BLEEDING-EDGE GDI Exploit - Worm
1 Successful Execution"; content:"USER bawz"; nocase;
reference:url,www.easynews.com/virus.txt; classtype:trojan-activity;
sid:2001332; rev:2;)
[---] Removed rules: [---]
-> Removed from bleeding-malware.rules (3):
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Malware TopText ILookup Installer Download";
reference:url,www.ezula.com;
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; content:"|65
5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|";
classtype:trojan-activity; sid:2000579; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware TopText ILookup Access";
reference:url,www.ezula.com;
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html;
uricontent:"/MindSet5/install/ezinstall.exe"; nocase;
classtype:trojan-activity; sid:2000578; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE Malware Unknown Spyware Agent Upload";
uricontent:"/conf/xml/"; nocase; classtype:trojan-activity; sid:2001324;
rev:1;)
[+++] Added non-rule lines: [+++]
-> Added to bleeding-p2p.rules (1):
#Submitted by Jason Haar
-> Added to bleeding-sid-msg.map (4):
2001333 || BLEEDING-EDGE P2P CHAT Skype VoIP Initialization
2001334 || BLEEDING-EDGE Malware Ezula ||
url,www.spyany.com/program/article_spw_rm_eZuLa.html || url,www.ezula.com
2001335 || BLEEDING-EDGE Malware Ezula Installer Download ||
url,www.spyany.com/program/article_spw_rm_eZuLa.html || url,www.ezula.com
2001336 || BLEEDING-EDGE Malware Internet Optimizer Spyware Agent
Upload
[---] Removed non-rule lines: [---]
-> Removed from bleeding-sid-msg.map (4):
2000578 || BLEEDING-EDGE Malware TopText ILookup Access ||
url,www.spyany.com/program/article_spw_rm_eZuLa.html || url,www.ezula.com
2000579 || BLEEDING-EDGE Malware TopText ILookup Installer Download
|| url,www.spyany.com/program/article_spw_rm_eZuLa.html || url,www.ezula.com
2001324 || BLEEDING-EDGE Malware Unknown Spyware Agent Upload
2001332 || BLEEDING-EDGE GDI Exploit - Worm 1 Successful Execution
|| url,www.easynews.com/virus.txt
[*] Added files: [*]
None.
--__--__--
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
End of Snort-sigs Digest
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
