Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Re: Fp ON 2001702

from [Colin Grady] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Re: Fp ON 2001702
Date: Mon, 4 Jul 2005 12:47:02 -0500 
You could use the distance or within keywords to force the
content:"Bundle" to follow the content:"User-Agent\: " without using a
pcre. The following might be a good example of a rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity";
flow:established,to_server; content:"User-Agent\: "; nocase;
content:"Bundle"; nocase; within:30; classtype: policy-violation; sid:
2001702; rev:8;)

Perhaps?

Colin


On 7/4/05, Matt Jonkman <matt@infotex.com> wrote:

I'm adjusting that one and the Grand Street Interactive sigs. I had
split them up to avoid false positives, but this is causing more on
those 2 sigs.

I'm hesitant to pcre these as there are a lot of them. But if I can't
tune them I'll do that.

I'm putting this sig back together. The user-agent we're looking for is
just that, not tacked onto the end of another string. Let me know if
that does better.

Thanks

Matt

Michael Scheidell wrote:

Seems if you have sun java engine on your windows XP engine and attempt
to update it, you trigger the 2001702 signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; content:"User-Agent\: "; nocase;
content:"Bundle"; nocase; classtype: policy-violation; sid: 2001702;
rev:6;)

Should we not use some type of offset or use pcre to make sure 'Bundle'
comes after User-Agent?
Maybe this should be looked at for all of the 'user-agent' strings?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:
"BLEEDING-EDGE MALWARE Shop at Home Select Spyware Activity"; flow:
established,to_server; pcre:"/User-Agent\:.*Bundle/i"; classtype:
policy-violation; sid: 2001702; rev:7;)

000 : 47 45 54 20 2F 77 65 62 61 70 70 73 2F 64 6F 77   GET /webapps/dow
010 : 6E 6C 6F 61 64 2F 41 75 74 6F 44 4C 3F 42 75 6E   nload/AutoDL?Bun
020 : 64 6C 65 49 64 3D 39 39 39 33 20 48 54 54 50 2F   dleId=9993 HTTP/
030 : 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A   1.1..Accept: */*
040 : 0D 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E   ..Accept-Encodin
050 : 67 3A 20 69 64 65 6E 74 69 74 79 0D 0A 52 61 6E   g: identity..Ran
060 : 67 65 3A 20 62 79 74 65 73 3D 30 2D 34 38 37 31   ge: bytes=0-4871
070 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69   ..User-Agent: Mi
080 : 63 72 6F 73 6F 66 74 20 42 49 54 53 2F 36 2E 36   crosoft BITS/6.6
090 : 0D 0A 48 6F 73 74 3A 20 6A 64 6C 2E 73 75 6E 2E   ..Host: jdl.sun.
0a0 : 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   com..Connection:
0b0 : 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 0D 0A       Keep-Alive....



--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&opÌk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Re: Fp ON 2001702, Frank Knobbe
Next by Date:  Re: [Snort-sigs] Re: Fp ON 2001702, Frank Knobbe
Previous by Thread:  [Snort-sigs] Re: Fp ON 2001702, Matt Jonkman
Next by Thread:  Re: [Snort-sigs] Re: Fp ON 2001702, Frank Knobbe
Indexes:  [Date] [Thread] [Top] [All Lists]