Russell Fulton | 24 Sep 00:51 2014
Picon
Picon

duplicates rules

These versions are from the wiki.

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN JCE Joomla Scanner";
flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)"; http_header;
classtype:web-application-attack; sid:2016032; rev:3;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN JCE Joomla Extension User-Agent
(BOT)"; flow:to_server,established; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)|0d 0a|";
http_header; reference:url,exploit-db.com/exploits/17734/;
reference:url,blog.spiderlabs.com/2014/03/honeypot-alert-jce-joomla-extension-attacks.html;
classtype:attempted-recon; sid:2018327; rev:2;)
Russell Fulton | 24 Sep 00:44 2014
Picon
Picon

"F P" for ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https) 2008019


we are seeing several different things using things like this:

User-Agent: HttpSendRequest

I am using the surciata rules which does not check the CR/LF which the original rule did.

Russell.
Francis Trudeau | 24 Sep 00:27 2014
Picon

Daily Ruleset Update Summary 09/23/2014

 [***] Summary: [***]

 12 new Open rules, 22 new Pro.  NjRAT, Angler EK, Various Android,
Cryptolocker C2.

 Thanks:  Patrick Olsen, Kevin Ross,  <at> kafeine and  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2019214 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)
(trojan.rules)
  2019215 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone)
(trojan.rules)
  2019216 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)
(trojan.rules)
  2019217 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote
Shell) (trojan.rules)
  2019218 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Services
Listing) (trojan.rules)
  2019219 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry
Listing) (trojan.rules)
  2019220 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Process
Listing) (trojan.rules)
  2019221 - ET TROJAN njrat ver 0.7d Malware CnC Callback (File
Manager Actions) (trojan.rules)
  2019222 - ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging)
(trojan.rules)
  2019223 - ET TROJAN njrat ver 0.7d Malware CnC Callback (trojan.rules)
(Continue reading)

Jake Warren | 23 Sep 21:13 2014

FP Reduction on SQL Injection Sigs

Hi ET & Community,

Within my environment, SQL injection signatures make up a significant amount of all false positives I get. Inspired by your recent revision to 2006445 I examined a few other SQL injection signatures and made some modifications to the pcres and wanted to share my results. Although I had a relatively small sample size of true positives for some of the rules, I didn't have any false negatives and the tweaks resulted in a reduction of false positives. Below are the SIDs and pcres I'm using. I'm sure some of the regex wizards on this list can come up with something even better.

2006447 pcre:"/[&\?].*UPDATE[^a-z]+SET\x20*[A-Za-z0-9]*\x20*\x3d/Ui";
2006443 pcre:"/DELETE\b.*FROM/Ui";
2010963 pcre:"/SELECT[\/* +].+USER/Ui";
2006444 pcre:"/INSERT[^\w]+INTO/Ui";

-Jake Warren
<div><div dir="ltr">
<div>Hi ET &amp; Community,<br><br>
</div>
<div>Within my environment, SQL injection signatures make up a significant amount of all false positives I get. Inspired by your recent revision to 2006445 I examined a few other SQL injection signatures and made some modifications to the pcres and wanted to share my results. Although I had a relatively small sample size of true positives for some of the rules, I didn't have any false negatives and the tweaks resulted in a reduction of false positives. Below are the SIDs and pcres I'm using. I'm sure some of the regex wizards on this list can come up with something even better. <br><br>2006447 pcre:"/[&amp;\?].*UPDATE[^a-z]+SET\x20*[A-Za-z0-9]*\x20*\x3d/Ui";<br>2006443 pcre:"/DELETE\b.*FROM/Ui";<br>2010963 pcre:"/SELECT[\/* +].+USER/Ui";<br>2006444 pcre:"/INSERT[^\w]+INTO/Ui";<br>
</div>
<div><br></div>-Jake Warren<br>
</div></div>
Jake Warren | 23 Sep 20:20 2014

Question about Tor sig (2018789)

Hi,

When you guys were QA'ing 2018789, did you measure how bad the performance hit would be to include port 443? The reason I ask is because I'm seeing this signature miss the majority of TOR traffic since most of the Tor traffic I'm seeing is going out over 443 versus 9001.

Thanks,
Jake
<div><div dir="ltr">
<div>
<div>
<div>Hi,<br><br>
</div>When you guys were QA'ing 2018789, did you measure how bad the performance hit would be to include port 443? The reason I ask is because I'm seeing this signature miss the majority of TOR traffic since most of the Tor traffic I'm seeing is going out over 443 versus 9001.<br><br>
</div>Thanks,<br>
</div>Jake<br>
</div></div>
Patrick Olsen | 23 Sep 15:08 2014

njrat version 0.7d sigs

All,

I downloaded the njrat version 0.7d builder this evening and generated a range of activities with it. I ran the latest ET trojan rules (specifically looking at ET TROJAN Bladabindi/njrat CnC) against two pcaps I have and didn't get any hits on them. I believe where the rules are falling short is the depth values that are set. They trigger on a few of them if you remove it. In either case I re-wrote the rules. 

They would only trigger if I had -k none (Checksum mode set to none). This was the case with a live pcap and my test/controlled pcap. 

The hash referenced is the archive of the njrat builder. You can download it from VT.

I decided to break them out into what the command issued is (Ex. Keylogging). All the return values are base64 encoded.

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)"; flow:from_client,established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; fast_pattern; content:"|00|CAP|7c 27 7c 27 7c|"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100001; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100002; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; fast_pattern; content:"Executed As"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100003; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100004; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100005; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100006; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100007; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100008; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100009; rev:1;)

alert tcp any any -> any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100010; rev:1;)

Thanks,

Patrick
<div><div dir="ltr">All,<div><br></div>
<div>I downloaded the njrat version 0.7d builder this evening and generated a range of activities with it. I ran the latest ET trojan rules (specifically looking at ET TROJAN Bladabindi/njrat CnC) against two pcaps I have and didn't get any hits on them. I believe where the rules are falling short is the depth values that are set. They trigger on a few of them if you remove it. In either case I re-wrote the rules.&nbsp;</div>
<div><br></div>
<div>They would only trigger if I had -k none (Checksum mode set to none). This was the case with a live pcap and my test/controlled pcap.&nbsp;</div>
<div><br></div>
<div>The hash referenced is the archive of the njrat builder. You can download it from VT.</div>
<div><br></div>
<div>I decided to break them out into what the command issued is (Ex. Keylogging). All the return values are base64 encoded.</div>
<div><br></div>
<div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Capture)"; flow:from_client,established; content:!"GET|20|"; content:"|FF D8 FF E0 00 10 4A 46 49 46|"; fast_pattern; content:"|00|CAP|7c 27 7c 27 7c|"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100001; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Microphone)"; flow:from_client,established; content:"|00|MIC|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100002; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Message)"; flow:from_client,established; content:"|00|MSG|7c 27 7c 27 7c|"; fast_pattern; content:"Executed As"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100003; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Remote Shell)"; flow:from_client,established; content:"|00|rs|7c 27 7c 27 7c|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100004; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Services Listing)"; flow:from_client,established; content:"|00|srv|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100005; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Registry Listing)"; flow:from_client,established; content:"|00|RG|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100006; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Process Listing)"; flow:from_client,established; content:"|00|proc|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100007; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (File Manager Actions)"; flow:from_client,established; content:"|00|fm|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100008; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback (Keylogging)"; flow:from_client,established; content:"|00|kl|7C 27 7C 27 7C|"; fast_pattern; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100009; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET TROJAN njrat ver 0.7d Malware CnC Callback"; flow:from_client,established; content:"|00|ll|7C 27 7C 27 7C|"; fast_pattern; content:"0.7d"; reference:md5,bbc68c34bb2dac3ae382ecf785bdb441; classtype:trojan-activity; sid:100010; rev:1;)</div>
</div>
<div><br></div>
<div>Thanks,</div>
<div><br></div>
<div>Patrick</div>
</div></div>
Victor Julien | 23 Sep 13:35 2014
Picon

Suricata 2.0.4 Available!

The OISF development team is pleased to announce Suricata 2.0.4. This
release fixes a number of issues in the 2.0 series.

This update fixes a bug in the SSH parser, where a malformed banner
could lead to evasion of SSH rules and missing log entries. In some
cases it may also lead to a crash. Bug discovered and reported by
Steffen Bauch.

Additionally, this release also addresses a new IPv6 issue that can lead
to evasion. Bug discovered by Rafael Schaefer working with ERNW GmbH.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-2.0.4.tar.gz

Changes

- Bug #1276: ipv6 defrag issue with routing headers
- Bug #1278: ssh banner parser issue
- Bug #1254: sig parsing crash on malformed rev keyword
- Bug #1267: issue with ipv6 logging
- Bug #1273: Lua - http.request_line not working
- Bug #1284: AF_PACKET IPS mode not logging drops and stream inline issue

Security

- CVE-2014-6603

Special thanks

We'd like to thank the following people and corporations for their
contributions and feedback:

- Rafael Schaefer working with ERNW GmbH
- Steffen Bauch -  <at> steffenbauch, http://steffenbauch.de/
- Bill Meeks

Known issues & missing features

If you encounter issues, please let us know! As always, we are doing our
best to make you aware of continuing development and items within the
engine that are not yet complete or optimal. With this in mind, please
notice the list we have included of known items we are working on. See
http://redmine.openinfosecfoundation.org/projects/suricata/issues for an
up to date list and to report new issues. See
http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues
for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security
Monitoring engine. Open Source and owned by a community run non-profit
foundation, the Open Information Security Foundation (OISF). Suricata is
developed by the OISF, its supporting vendors and the community.
--

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

Kevin Ross | 23 Sep 10:57 2014

SIGS: Sweet Orange and Angler

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate"; flow:established,to_server; content:"/k?t="; http_uri; depth:5; pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,www.malware-traffic-analysis.net/2014/09/19/index.html; sid:193311; rev:1;)

# Seen this in many examples going back to at least Late May/June time so looks pretty consistant.
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers"; flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A| content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT"; http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,www.malware-traffic-analysis.net/2014/09/22/index.html; sid:193312; rev:1;)

Kind Regards,
kevin Ross
<div><div dir="ltr">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate"; flow:established,to_server; content:"/k?t="; http_uri; depth:5; pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,<a href="http://www.malware-traffic-analysis.net/2014/09/19/index.html">www.malware-traffic-analysis.net/2014/09/19/index.html</a>; sid:193311; rev:1;)<br><br># Seen this in many examples going back to at least Late May/June time so looks pretty consistant. <br><div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers"; flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A| content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT"; http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,<a href="http://www.malware-traffic-analysis.net/2014/09/22/index.html">www.malware-traffic-analysis.net/2014/09/22/index.html</a>; sid:193312; rev:1;)<br><br>Kind Regards,<br>kevin Ross<br>
</div>
</div></div>
Russell Fulton | 23 Sep 05:04 2014
Picon
Picon

duplicate rules -- sort of...

I am using the etpro 2.0.3 rules and I find that there are:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a
BruteForce?Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20;
threshold: type limit, track by_src, count 1, seconds 30;
reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:6;)

alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN LibSSH2? Based SSH Connection - Often used as
aBruteForce? Tool"; flow:established,to_server; ssh.softwareversion:"libssh2-"; threshold:
type limit, track by_src, count 1, seconds 30; classtype:misc-activity; sid:2018689; rev:2;)

Both of which are triggering.  I take it the latter is taking advantage of the app-layer decoding.  Is it an
oversight that the former rule is still enabled.

Russell
Francis Trudeau | 22 Sep 23:31 2014
Picon

Daily Ruleset Update Summary 09/22/2014

 [***] Summary: [***]

 12 new Open signatures, 20 new Pro (12+8).  Linux/BillGates, Various
Android, Nuclear EK.

 Thanks:   <at> MalwareMustDie and  <at> abuse_ch

 [+++]          Added rules:          [+++]

 Open:

  2019202 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2
(trojan.rules)
  2019203 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
(trojan.rules)
  2019204 - ET TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) (trojan.rules)
  2019205 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019206 - ET TROJAN ABUSE.CH SSL Fingerprint Blacklist Malicious SSL
certificate detected (KINS CnC) (trojan.rules)
  2019207 - ET TROJAN Linux/BillGates Checkin (trojan.rules)
  2019208 - ET TROJAN Linux/BillGates Checkin Response (trojan.rules)
  2019209 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF Struct (no alert)
(current_events.rules)
  2019210 - ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF (current_events.rules)
  2019211 - ET TROJAN Win32/Badur.igh Checkin 2 (trojan.rules)
  2019212 - ET TROJAN Bossabot DDoS tool RFI attempt (trojan.rules)
  2019213 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 22 2014
(current_events.rules)

 Pro:

  2808861 - ETPRO TROJAN Likely Win32/Spy.Zbot.AAQ .onion Proxy DNS
lookup (trojan.rules)
  2808862 - ETPRO MOBILE_MALWARE Android.Trojan.FakeInst.BX Checkin 4
(mobile_malware.rules)
  2808863 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin (trojan.rules)
  2808864 - ETPRO MOBILE_MALWARE Android/InfoStealer.BL Checkin via
SMTP (mobile_malware.rules)
  2808865 - ETPRO TROJAN TROJAN Win32/Seey.A User-Agent (trojan.rules)
  2808866 - ETPRO TROJAN TROJAN Win32/Seey.A Checkin 2 (trojan.rules)
  2808867 - ETPRO WEB_CLIENT Possible Adobe Reader CVE-2014-0567
(web_client.rules)
  2808868 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin
10 (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2019134 - ET CURRENT_EVENTS Flashpack Redirect Method 2 (current_events.rules)
  2019172 - ET TROJAN Linux.DDoS Checkin (trojan.rules)
  2019177 - ET TROJAN Linux/AES.DDoS Sending Real/Fake CPU&BW Info
(trojan.rules)
  2019185 - ET CURRENT_EVENTS Nuclear EK Gate Sep 16 2014 (current_events.rules)
  2807357 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.SD Checkin
(mobile_malware.rules)
  2808659 - ETPRO CURRENT_EVENTS FlashPack URI Struct Thread 2
Specific (current_events.rules)
  2808843 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh Checkin
2 (mobile_malware.rules)
  2808844 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.kh
Response 2 (mobile_malware.rules)

 [---]         Removed rules:         [---]

  2403321 - ET CINS Active Threat Intelligence Poor Reputation IP
group 22 (ciarmy.rules)
  2405062 - ET CNC Shadowserver Reported CnC Server Port 58914 Group 1
(botcc.portgrouped.rules)
  2803491 - ETPRO TROJAN Suspicious HTTP STOP Return -
Trojan.Win32.FakeAV.cfty or Related Controller (trojan.rules)
  2807626 - ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND)
(trojan.rules)
  2807683 - ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 2
(trojan.rules)
  2807710 - ETPRO TROJAN Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3
(trojan.rules)
Packet Sleuth | 22 Sep 14:28 2014
Picon

Upatre change

Attempted to send this late Friday, but it failed.  Wanted to get it in.  Haven't had time to test them yet.  This is being reported as Upatre by some of the AV vendors when submitted to Virus Total.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre downloading purported Tar file"; flow:to_client,established; content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: "Vary|3a20|"; nocase; http_header; pcre: "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; sid:xxxxxx; rev:1;)

Regards,
Packet Sleuth
<div><div dir="ltr">
<div>Attempted to send this late Friday, but it failed.&nbsp; Wanted to get it in.&nbsp; Haven't had time to test them yet.&nbsp; This is being reported as Upatre by some of the AV vendors when submitted to Virus Total.</div>
<div><br></div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)</div>
<div><br></div>
<div>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:"ET TROJAN Upatre downloading purported Tar file"; flow:to_client,established; content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: "Vary|3a20|"; nocase; http_header; pcre: "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; sid:xxxxxx; rev:1;)</div>
<div><br></div>
<div>Regards,</div>
<div>Packet Sleuth</div>
</div></div>

Gmane