# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#
Rule:
spyware-put.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SPYWARE-PUT Adware hxdl runtime detection - crypt user-agent"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"CryptRetrieveObjectByUrl|3A 3A|InetSchemeProvider"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]+CryptRetrieveObjectByUrl\x3A\x3AInetSchemeProvider/smi"; reference:url,www.spywareguide.com/product_show.php?id=516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075079; classtype:misc-activity; sid:7555; rev:1;)
--
Sid:
7555
--
Summary:
This event is generated when activity relating to a spyware application is detected.
--
Impact:
Unkown. Possible information disclosure, violation of privacy, possible violation of policy.
--
Detailed Information:
--
Affected Systems:
--
Attack Scenarios:
--
Ease of Attack:
--
False Positives:
Triggers on crl.microsoft.com
source addr dest addr Ver Hdr Len TOS length ID flags
offset TTL chksum
147.10.195.135
<http://192.168.0.254/acid/acid_stat_ipaddr.php?ip=147.10.195.135&netmask=32>
131.107.115.28
<http://192.168.0.254/acid/acid_stat_ipaddr.php?ip=131.107.115.28&netmask=32>
4 5 0 461 15547 0 0 64 44886
000 : 47 45 54 20 2F 70 6B 69 2F 63 72 6C 2F 70 72 6F GET /pki/crl/pro
010 : 64 75 63 74 73 2F 43 6F 64 65 53 69 67 6E 50 43 ducts/CodeSignPC
020 : 41 2E 63 72 6C 20 48 54 54 50 2F 31 2E 30 0D 0A A.crl HTTP/1.0..
030 : 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 55 73 65 Accept: */*..Use
040 : 72 2D 41 67 65 6E 74 3A 20 43 72 79 70 74 52 65 r-Agent: CryptRe
050 : 74 72 69 65 76 65 4F 62 6A 65 63 74 42 79 55 72 trieveObjectByUr
060 : 6C 3A 3A 49 6E 65 74 53 63 68 65 6D 65 50 72 6F l::InetSchemePro
070 : 76 69 64 65 72 0D 0A 48 6F 73 74 3A 20 63 72 6C vider..Host: crl
080 : 2E 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 0D 0A .microsoft.com..
090 : 43 6F 6F 6B 69 65 3A 20 73 5F 6E 72 3D 31 31 35 Cookie: s_nr=115
0a0 : 38 39 38 38 31 37 36 35 35 30 3B 20 57 54 5F 46 8988176550; WT_F
0b0 : 50 43 3D 69 64 3D 31 34 37 2E 31 30 2E 31 39 35 PC=id=147.10.195
0c0 : 2E 31 33 35 2D 31 31 33 34 36 37 32 31 31 32 2E .135-1134672112.
0d0 : 32 39 38 31 30 33 37 38 3A 6C 76 3D 31 31 35 38 29810378:lv=1158
0e0 : 39 32 33 33 35 37 38 32 30 3A 73 73 3D 31 31 35 923357820:ss=115
0f0 : 38 39 35 32 31 30 35 39 31 30 3B 20 4D 43 31 3D 8952105910; MC1=
100 : 47 55 49 44 3D 39 30 62 34 38 64 36 39 61 63 64 GUID=90b48d69acd
110 : 66 32 65 34 64 61 39 34 61 63 38 63 66 32 33 34 f2e4da94ac8cf234
120 : 61 62 33 61 39 26 48 41 53 48 3D 36 39 38 64 26 ab3a9&HASH=698d&
130 : 4C 56 3D 32 30 30 36 39 26 56 3D 33 3B 20 41 3D LV=20069&V=3; A=
140 : 49 26 49 3D 41 78 55 46 41 41 41 41 41 41 43 57 I&I=AxUFAAAAAACW
150 : 42 77 41 41 7A 53 39 42 54 35 4A 4A 2B 39 6A 34 BwAAzS9BT5JJ+9j4
160 : 36 46 75 6C 6A 58 30 65 74 67 21 21 0D 0A 43 61 6FuljX0etg!!..Ca
170 : 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D che-Control: no-
180 : 63 61 63 68 65 2C 20 6D 61 78 2D 61 67 65 3D 32 cache, max-age=2
190 : 35 39 32 30 30 0D 0A 0D 0A 59200....
--
False Negatives:
--
Corrective Action:
--
Contributors:
--
Additional References:
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
