Anand Aherkar | 27 Aug 06:23 2014

Nuclear EK redirect to actual exploit hosting site

Hi,

Very simple sig to help to detect redirection Nuclear EK site...pls comment

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear 
exploit kit redirection to exploit hosting site"; uricontent:"/show_ads.js?
ver="; nocase; pcre:"/show_ads.js?ver=[0-9]$/i"; reference:url,http://malware-
traffic-analysis.net/2014/08/25/index2.html; sid:xxxxxx; gid:1; rev:1;)

Regards,

Francis Trudeau | 27 Aug 01:06 2014
Picon

Daily Ruleset Update Summary 08/26/2014

 [***] Summary: [***]

 2 new Open signatures, 23 new Pro (2+21).  BleedingLife EK, FlashPack, Zeus.

 Thanks:  rmkml

 [+++]          Added rules:          [+++]

 Open:

  2019023 - ET CURRENT_EVENTS BleedingLife EK Variant Aug 26 2014
(current_events.rules)
  2019024 - ET CURRENT_EVENTS Offensive Security EMET Bypass Observed
in BleedingLife Variant Aug 26 2014 (current_events.rules)

 Pro:

  2808639 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.SendPay.a
Checkin (mobile_malware.rules)
  2808640 - ETPRO TROJAN Win32/Zbot Downloading PE (trojan.rules)
  2808641 - ETPRO TROJAN W32/Badur.ZYP Checkin (trojan.rules)
  2808642 - ETPRO TROJAN Win32.BHO Variant Checkin (trojan.rules)
  2808643 - ETPRO TROJAN Zeus variant C2 (trojan.rules)
  2808644 - ETPRO TROJAN Win32/Hupigon.NYK Checkin (trojan.rules)
  2808645 - ETPRO TROJAN MSIL/Agent.RQ Checkin (trojan.rules)
  2808646 - ETPRO TROJAN W32/ZEGOST.AAGP!TR.BDR Checkin (trojan.rules)
  2808647 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin (trojan.rules)
  2808648 - ETPRO TROJAN Backdoor.Win32.Stantinko.A Checkin 2 (trojan.rules)
  2808650 - ETPRO TROJAN PWS.MicroGaming Checkin (trojan.rules)
  2808651 - ETPRO TROJAN TROJAN-DROPPER.WIN32.FRAUDROP.AETPC Checkin
(Continue reading)

Francis Trudeau | 26 Aug 00:30 2014
Picon

Daily Ruleset Update Summary 08/25/2014

 [***] Summary: [***]

 29 new Open signatures, 42 new Pro (29+13).  Archie EK, NTP DDOS,
FlashPack EK, Abuse.ch SSL Blacklist.

 Thanks:  Jake Warren, ABUSE.CH and  <at> kafeine

 [+++]          Added rules:          [+++]

 Open:

  2018994 - ET TROJAN Win32/Xema dropping file (trojan.rules)
  2018995 - ET CURRENT_EVENTS Archie EK CVE-2014-0515 Aug 24 2014
(current_events.rules)
  2018996 - ET CURRENT_EVENTS Archie EK CVE-2014-0497 Aug 24 2014
(current_events.rules)
  2018997 - ET CURRENT_EVENTS Archie EK Secondary Landing Aug 24 2014
(current_events.rules)
  2018998 - ET CURRENT_EVENTS Archie EK Landing Aug 24 2014
(current_events.rules)
  2018999 - ET TROJAN Win32/Spy.Tuscas (trojan.rules)
  2019000 - ET TROJAN Windows ipconfig Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019001 - ET TROJAN Windows net start Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019002 - ET TROJAN Windows systeminfo Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019003 - ET TROJAN Windows netstat Microsoft Windows DOS prompt
command exit OUTBOUND (trojan.rules)
  2019004 - ET CURRENT_EVENTS FlashPack EK Exploit Flash Post Aug 25
(Continue reading)

Jake Warren | 25 Aug 19:49 2014

Tuscas Check-in Sig

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Tuscas C&C Check-in"; flow:established,to_server; content:"?version="; http_uri; content:"&group="; http_uri; content:"&client="; http_uri; content:"&computer="; http_uri; content:"&os="; http_uri; content:"&crc="; http_uri; pcre:"/^\/[ti]\?version=[0-9]+&group=[0-9]+&client=[a-z0-9]+&computer=.*?&os=[0-9\.]+&latency&crc=[0-9a-f]+$/U"; reference:url,stopmalvertising.com/malware-reports/analysis-of-tuscas.html; classtype:trojan-activity; sid:xxxxx; rev:1;)

Jake Warren
Level 2 Sr. Network Security Analyst
www.masergy.com

<div><div dir="ltr">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"Tuscas C&amp;C Check-in"; flow:established,to_server; content:"?version="; http_uri; content:"&amp;group="; http_uri; content:"&amp;client="; http_uri; content:"&amp;computer="; http_uri; content:"&amp;os="; http_uri; content:"&amp;crc="; http_uri; pcre:"/^\/[ti]\?version=[0-9]+&amp;group=[0-9]+&amp;client=[a-z0-9]+&amp;computer=.*?&amp;os=[0-9\.]+&amp;latency&amp;crc=[0-9a-f]+$/U"; reference:url,<a href="http://stopmalvertising.com/malware-reports/analysis-of-tuscas.html">stopmalvertising.com/malware-reports/analysis-of-tuscas.html</a>; classtype:trojan-activity; sid:xxxxx; rev:1;)<br clear="all"><div><div dir="ltr"><div><span class=""><div><div dir="ltr"><div><span><span><div>
        <div>
          <div dir="ltr">
            <div><span>
                  <div>
                    <p>Jake Warren <br> <span>Level

                                2 Sr. Network Security Analyst</span><br><a href="http://www.masergy.com/" target="_blank">www.masergy.com</a></p>
                  </div>
                </span></div>
          </div>
        </div>
      </div></span></span></div></div></div></span></div></div></div>
</div></div>
Will Metcalf | 23 Aug 21:38 2014

Malvertising Realted EK sigs (Weekend Update)

[***]          Summary:          [***]

<at> malware_traffic Did a write-up on updates to  a malvertising related EK that <at> malwaresigs spotted in Oct 2013.

http://malware-traffic-analysis.net/2014/08/22/index2.html

We pushed out some rules to detect the updated version.
[+++]          Added rules:          [+++]

  2018988 - ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 22 2014 (current_events.rules)
  2018989 - ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug 22 2014 (current_events.rules)
  2018990 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)
  2018991 - ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014 (current_events.rules)
  2018992 - ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 22 2014 (current_events.rules)
  2018993 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)
<div><div dir="ltr">[***]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Summary:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [***]<br><br> <at> malware_traffic Did a write-up on updates to&nbsp; a malvertising related EK that  <at> malwaresigs spotted in Oct 2013.<br><br><a href="http://malware-traffic-analysis.net/2014/08/22/index2.html">http://malware-traffic-analysis.net/2014/08/22/index2.html</a><br><br>We pushed out some rules to detect the updated version.<br>[+++]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Added rules:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [+++]<br><br>
&nbsp; 2018988 - ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018989 - ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018990 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018991 - ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018992 - ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 22 2014 (current_events.rules)<br>
&nbsp; 2018993 - ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (current_events.rules)<br>
</div></div>
Francis Trudeau | 23 Aug 00:26 2014
Picon

Daily Ruleset Update Summary 08/22/2014

 [***] Summary: [***]

 2 new Open signatures, 16 new Pro (2+14).  Sweet Orange, Various
Android, Meinhudong.A.

 Thanks:  Jake Warren.

 [+++]          Added rules:          [+++]

 Open:

  2018985 - ET TROJAN Suspicious User-Agent (Asteria md5) (trojan.rules)
  2018987 - ET CURRENT_EVENTS Sweet Orange EK Thread Specific Java
Exploit (current_events.rules)

 Pro:

  2808612 - ETPRO MALWARE Win32/FlyStudio Checkin (malware.rules)
  2808613 - ETPRO MOBILE_MALWARE RemoteAdmin.AndroidOS.Wodsha.a
Checkin (mobile_malware.rules)
  2808614 - ETPRO TROJAN Win32/Sality.H via SMTP (trojan.rules)
  2808615 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MTK.d Checkin
(mobile_malware.rules)
  2808616 - ETPRO MOBILE_MALWARE Android/SMSreg.HS Checkin
(mobile_malware.rules)
  2808617 - ETPRO TROJAN VBS/Safa C2 (trojan.rules)
  2808618 - ETPRO MOBILE_MALWARE Android/HippoSms.B Request to C2
(mobile_malware.rules)
  2808619 - ETPRO TROJAN Win32/Meinhudong.A Checkin (trojan.rules)
  2808620 - ETPRO MALWARE PUP Adware/Crossrider Checkin (malware.rules)
  2808621 - ETPRO MALWARE PUP/Win32.IBryte Checkin via HTTP (malware.rules)
  2808622 - ETPRO TROJAN W32/Sohanad.ax Downloading PE (trojan.rules)
  2808623 - ETPRO MALWARE Adware C2 via Twitter (malware.rules)
  2808624 - ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 1 (trojan.rules)
  2808625 - ETPRO TROJAN Password Stealer PWS.Y!B2F Checkin 2 (trojan.rules)

 [///]     Modified active rules:     [///]

  2018960 - ET TROJAN ZeroLocker Downloading Config (trojan.rules)
  2018961 - ET TROJAN ZeroLocker Activity (trojan.rules)
  2018962 - ET TROJAN ZeroLocker Activity (trojan.rules)
  2018963 - ET CURRENT_EVENTS ZeroLocker EXE Download (current_events.rules)
  2018984 - ET TROJAN PlugX variant (trojan.rules)
  2806169 - ETPRO MOBILE_MALWARE Android.Enesoluty /
Trojan.AndroidOS.Maistealer.a Checkin (mobile_malware.rules)
  2808609 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 4
(mobile_malware.rules)

 [---]         Removed rules:         [---]

  2018903 - ET TROJAN Dyre SSL Self-Signed Cert Aug 06 2014 (trojan.rules)
  2808603 - ETPRO TROJAN Worm.Win32.SillyFDC Checkin (trojan.rules)
Jake Warren | 22 Aug 21:31 2014

Sweet Orange Sigs

A few sigs for the Sweet Orange EK:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Sweet Orange EK Common Java Exploit (2)"; flow:established,to_server; content:"GET "; depth:4; content:"/Fqxzdh.jar HTTP/1."; content:" Java/1."; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:trojan-activity; sid:xxxx; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Sweet Orange EK CDN Payload Request"; flow:established,to_server; content:"GET /cars.php?"; depth:14; pcre:"/[a-z]+=[0-9]+/R"; reference:url,malware-traffic-analysis.net/2014/08/21/index2.html; classtype:trojan-activity; sid:xxxx; rev:1;)    

Revised signatures I submitted on 7/25:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Sweet Orange EK Common Flash Exploit"; flow:established,to_server; content:"GET "; depth:4; content:"/hxwXHAp HTTP/1."; distance:0; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:trojan-activity; sid:xxxx; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Sweet Orange EK Cookie"; flow:established,from_server; content:"Set-cookie: mbzyn="; pcre:"/[a-zA-Z0-9\.]{19}__[0-9a-zA-Z\.]{21}--\;/R";  classtype:trojan-activity; sid:xxxx; rev:2;)

Jake Warren
Level 2 Sr. Network Security Analyst
www.masergy.com

<div><div dir="ltr">A few sigs for the Sweet Orange EK:<br><div>
<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"Sweet Orange EK Common Java Exploit (2)"; flow:established,to_server; content:"GET "; depth:4; content:"/Fqxzdh.jar HTTP/1."; content:" Java/1."; reference:url,<a href="http://malware-traffic-analysis.net/2014/07/24/index.html">malware-traffic-analysis.net/2014/07/24/index.html</a>; classtype:trojan-activity; sid:xxxx; rev:1;) <br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"Sweet Orange EK CDN Payload Request"; flow:established,to_server; content:"GET /cars.php?"; depth:14; pcre:"/[a-z]+=[0-9]+/R"; reference:url,<a href="http://malware-traffic-analysis.net/2014/08/21/index2.html">malware-traffic-analysis.net/2014/08/21/index2.html</a>; classtype:trojan-activity; sid:xxxx; rev:1;)&nbsp;&nbsp;&nbsp;&nbsp; <br><br>
</div>
<div>Revised signatures I submitted on 7/25:<br>
</div>
<div>
<br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"Sweet Orange EK Common Flash Exploit"; flow:established,to_server; content:"GET "; depth:4; content:"/hxwXHAp HTTP/1."; distance:0; reference:url,<a href="http://malware-traffic-analysis.net/2014/07/24/index.html">malware-traffic-analysis.net/2014/07/24/index.html</a>; classtype:trojan-activity; sid:xxxx; rev:2;) <br><br>alert tcp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"Sweet Orange EK Cookie"; flow:established,from_server; content:"Set-cookie: mbzyn="; pcre:"/[a-zA-Z0-9\.]{19}__[0-9a-zA-Z\.]{21}--\;/R";&nbsp; classtype:trojan-activity; sid:xxxx; rev:2;)<br clear="all"><div><div dir="ltr"><div><span class=""><span><div>
        <div>
          <div dir="ltr">
            <div><span>
                  <div>
                    <p>Jake Warren <br> <span>Level

                                2 Sr. Network Security Analyst</span><br><a href="http://www.masergy.com/" target="_blank">www.masergy.com</a></p>
                  </div>
                </span></div>
          </div>
        </div>
      </div></span></span></div></div></div>
</div>
</div></div>
Will Metcalf | 22 Aug 05:28 2014

Re: [Emerging-updates] Daily Ruleset Update Summary 08/21/2014

Fix is live. Sorry for the trouble.

Regards,

Will


On Thu, Aug 21, 2014 at 8:51 PM, Keith Butler <emergingthreats-L5fe5GU7VQsj5TC/SZClsA@public.gmane.org> wrote:
SID 2018984 needs a ‘U’ added to the pcre modifier.  It’s failing due to the preceding match being constrained to the http_uri:

22/8/2014 -- 01:28:51 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
22/8/2014 -- 01:28:51 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX variant"; flow:to_server,established; content:"GET"; http_method; content:"/p/"; depth:3; http_uri; pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/R"; content:"code.google.com"; fast_pattern:only; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; threshold: type both, count 1, seconds 30, track by_src; reference:md5,e2a4b96cce9de4fb126cfd5f5c73c3ed; reference:url,researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/; reference:url,www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; classtype:trojan-activity; sid:2018984; rev:3;)" from file /etc/suricata/rules/suricata.rules at line 13796


It loads successfully after changing:
FR:   pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/R
TO:   pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/UR

-kb

On Aug 21, 2014, at 10:25 PM, Francis Trudeau <ftrudeau-KR6O7HwU5NEm7effSn6vN9HuzzzSOjJt@public.gmane.org> wrote:

> [***] Summary: [***]
>
> 9 Open signatures, 21 Pro (9+13).  OneLouder, Machete, Various
> Android, SillyFDC.
>
> Thanks:  <at> jaimeblascob, <at> EKWatcher and Nathan Fowler.
>
> [+++]          Added rules:          [+++]
>
>  Open:
>
>  2018976 - ET MALWARE Hoic.zip retrieval (malware.rules)
>  2018977 - ET MALWARE HOIC with booster outbound (malware.rules)
>  2018978 - ET WEB_SERVER HOIC with booster inbound (web_server.rules)
>  2018979 - ET TROJAN Miras C2 Activity (trojan.rules)
>  2018980 - ET TROJAN Machete FTP activity (trojan.rules)
>  2018981 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
> (current_events.rules)
>  2018982 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
> exe download (current_events.rules)
>  2018983 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
> (current_events.rules)
>  2018984 - ET TROJAN PlugX variant (trojan.rules)
>
>  Pro:
>
>  2808599 - ETPRO TROJAN Win32/Bancos.DI HTTP callback (trojan.rules)
>  2808600 - ETPRO TROJAN Backdoor.Perl.Shellbot.B IRC Checkin (trojan.rules)
>  2808601 - ETPRO TROJAN Win32/Qhost.PGZ Checkin (trojan.rules)
>  2808602 - ETPRO MOBILE_MALWARE Android/Crosate.N Checkin
> (mobile_malware.rules)
>  2808603 - ETPRO TROJAN Worm.Win32.SillyFDC Checkin (trojan.rules)
>  2808604 - ETPRO TROJAN W32.Virut IRC checkin (trojan.rules)
>  2808605 - ETPRO TROJAN Rogue.Win32/Defru Checkin (trojan.rules)
>  2808606 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin
> (mobile_malware.rules)
>  2808607 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin 2
> (mobile_malware.rules)
>  2808608 - ETPRO MOBILE_MALWARE Android.Riskware.SMSPay.AO Checkin 3
> (mobile_malware.rules)
>  2808609 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 4
> (mobile_malware.rules)
>  2808610 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 5
> (mobile_malware.rules)
>  2808611 - ETPRO TROJAN Win32/Spy.Usteal.C Checkin (trojan.rules)
>
>
> [///]     Modified active rules:     [///]
>
>  2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
> (web_server.rules)
>  2008411 - ET TROJAN LDPinch SMTP Password Report with mail client
> The Bat! (trojan.rules)
>  2009521 - ET TROJAN Win32/Nubjub.A HTTP Check-in  (trojan.rules)
>  2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)
>  2010953 - ET SCAN Skipfish Web Application Scan Detected (scan.rules)
>  2011894 - ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin (trojan.rules)
>  2016913 - ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin
> (sending user info) (trojan.rules)
>  2802121 - ETPRO WORM Worm.Win32.Cospet.A Checkin (worm.rules)
>  2802830 - ETPRO TROJAN Win32.Banksun.A Checkin (trojan.rules)
>  2803129 - ETPRO TROJAN Palevo CnC Response (trojan.rules)
>  2803669 - ETPRO SCADA Progea Movicon PowerHMI Memory Corruption
> Negative Content Length (scada.rules)
>  2805870 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Placms.F Checkin
> (mobile_malware.rules)
>  2807674 - ETPRO POLICY Primecoin (policy.rules)
>
>
> [///]    Modified inactive rules:    [///]
>
>  2018537 - ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID
> Overflow CVE-2014-3466 (web_client.rules)
>
>
> [---]  Disabled and modified rules:  [---]
>
>  2016763 - ET SCAN Non-Malicious SSH/SSL Scanner on the run (scan.rules)
>  2802971 - ETPRO TROJAN Killproc.5707/Generic Checkin Request 1 (trojan.rules)
>  2803088 - ETPRO DNS Bracket in DNS Query - Possible Covert Channel (dns.rules)
>
>
> [---]         Disabled rules:        [---]
>
>  2014893 - ET SCAN critical.io Scan (scan.rules)
> _______________________________________________
> Emerging-updates mailing list
> Emerging-updates-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
> https://lists.emergingthreats.net/mailman/listinfo/emerging-updates

_______________________________________________
Emerging-updates mailing list
Emerging-updates-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org
https://lists.emergingthreats.net/mailman/listinfo/emerging-updates

<div>
<div dir="ltr">
<div>Fix is live. Sorry for the trouble.<br><br>
</div>Regards,<br><br>Will<br>
</div>
<div class="gmail_extra">
<br><br><div class="gmail_quote">On Thu, Aug 21, 2014 at 8:51 PM, Keith Butler <span dir="ltr">&lt;<a href="mailto:emergingthreats@..." target="_blank">emergingthreats@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">SID 2018984 needs a &lsquo;U&rsquo; added to the pcre modifier.&nbsp; It&rsquo;s failing due to the preceding match being constrained to the http_uri:<br><br>
22/8/2014 -- 01:28:51 - &lt;Error&gt; - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer<br>
22/8/2014 -- 01:28:51 - &lt;Error&gt; - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN PlugX variant"; flow:to_server,established; content:"GET"; http_method; content:"/p/"; depth:3; http_uri; pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/R"; content:"<a href="http://code.google.com" target="_blank">code.google.com</a>"; fast_pattern:only; http_header; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; threshold: type both, count 1, seconds 30, track by_src; reference:md5,e2a4b96cce9de4fb126cfd5f5c73c3ed; reference:url,<a href="http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/" target="_blank">researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/</a>; reference:url,<a href="http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html" target="_blank">www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html</a>; classtype:trojan-activity; sid:2018984; rev:3;)" from file /etc/suricata/rules/suricata.rules at line 13796<br><br><br>
It loads successfully after changing:<br>
FR:&nbsp; &nbsp;pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/R<br>
TO:&nbsp; &nbsp;pcre:"/(?:p(?:hphphphphphphp|thon)|(?:dropytho|admmmom)n|u(?:pdata-server|dom)|eyewheye|joompler|rubbay|tempzz)/UR<br><br>
-kb<br><div><div class="h5">
<br>
On Aug 21, 2014, at 10:25 PM, Francis Trudeau &lt;<a href="mailto:ftrudeau <at> emergingthreats.net">ftrudeau@...</a>&gt; wrote:<br><br>
&gt; [***] Summary: [***]<br>
&gt;<br>
&gt; 9 Open signatures, 21 Pro (9+13).&nbsp; OneLouder, Machete, Various<br>
&gt; Android, SillyFDC.<br>
&gt;<br>
&gt; Thanks:&nbsp;  <at> jaimeblascob,  <at> EKWatcher and Nathan Fowler.<br>
&gt;<br>
&gt; [+++]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Added rules:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; [+++]<br>
&gt;<br>
&gt;&nbsp; Open:<br>
&gt;<br>
&gt;&nbsp; 2018976 - ET MALWARE Hoic.zip retrieval (malware.rules)<br>
&gt;&nbsp; 2018977 - ET MALWARE HOIC with booster outbound (malware.rules)<br>
&gt;&nbsp; 2018978 - ET WEB_SERVER HOIC with booster inbound (web_server.rules)<br>
&gt;&nbsp; 2018979 - ET TROJAN Miras C2 Activity (trojan.rules)<br>
&gt;&nbsp; 2018980 - ET TROJAN Machete FTP activity (trojan.rules)<br>
&gt;&nbsp; 2018981 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)<br>
&gt; (current_events.rules)<br>
&gt;&nbsp; 2018982 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)<br>
&gt; exe download (current_events.rules)<br>
&gt;&nbsp; 2018983 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)<br>
&gt; (current_events.rules)<br>
&gt;&nbsp; 2018984 - ET TROJAN PlugX variant (trojan.rules)<br>
&gt;<br>
&gt;&nbsp; Pro:<br>
&gt;<br>
&gt;&nbsp; 2808599 - ETPRO TROJAN Win32/Bancos.DI HTTP callback (trojan.rules)<br>
&gt;&nbsp; 2808600 - ETPRO TROJAN Backdoor.Perl.Shellbot.B IRC Checkin (trojan.rules)<br>
&gt;&nbsp; 2808601 - ETPRO TROJAN Win32/Qhost.PGZ Checkin (trojan.rules)<br>
&gt;&nbsp; 2808602 - ETPRO MOBILE_MALWARE Android/Crosate.N Checkin<br>
&gt; (mobile_malware.rules)<br>
&gt;&nbsp; 2808603 - ETPRO TROJAN Worm.Win32.SillyFDC Checkin (trojan.rules)<br>
&gt;&nbsp; 2808604 - ETPRO TROJAN W32.Virut IRC checkin (trojan.rules)<br>
&gt;&nbsp; 2808605 - ETPRO TROJAN Rogue.Win32/Defru Checkin (trojan.rules)<br>
&gt;&nbsp; 2808606 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin<br>
&gt; (mobile_malware.rules)<br>
&gt;&nbsp; 2808607 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin 2<br>
&gt; (mobile_malware.rules)<br>
&gt;&nbsp; 2808608 - ETPRO MOBILE_MALWARE <a href="http://Android.Riskware.SMSPay.AO" target="_blank">Android.Riskware.SMSPay.AO</a> Checkin 3<br>
&gt; (mobile_malware.rules)<br>
&gt;&nbsp; 2808609 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 4<br>
&gt; (mobile_malware.rules)<br>
&gt;&nbsp; 2808610 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 5<br>
&gt; (mobile_malware.rules)<br>
&gt;&nbsp; 2808611 - ETPRO TROJAN Win32/Spy.Usteal.C Checkin (trojan.rules)<br>
&gt;<br>
&gt;<br>
&gt; [///]&nbsp; &nbsp; &nbsp;Modified active rules:&nbsp; &nbsp; &nbsp;[///]<br>
&gt;<br>
&gt;&nbsp; 2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM<br>
&gt; (web_server.rules)<br>
&gt;&nbsp; 2008411 - ET TROJAN LDPinch SMTP Password Report with mail client<br>
&gt; The Bat! (trojan.rules)<br>
&gt;&nbsp; 2009521 - ET TROJAN Win32/Nubjub.A HTTP Check-in&nbsp; (trojan.rules)<br>
&gt;&nbsp; 2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)<br>
&gt;&nbsp; 2010953 - ET SCAN Skipfish Web Application Scan Detected (scan.rules)<br>
&gt;&nbsp; 2011894 - ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin (trojan.rules)<br>
&gt;&nbsp; 2016913 - ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin<br>
&gt; (sending user info) (trojan.rules)<br>
&gt;&nbsp; 2802121 - ETPRO WORM Worm.Win32.Cospet.A Checkin (worm.rules)<br>
&gt;&nbsp; 2802830 - ETPRO TROJAN Win32.Banksun.A Checkin (trojan.rules)<br>
&gt;&nbsp; 2803129 - ETPRO TROJAN Palevo CnC Response (trojan.rules)<br>
&gt;&nbsp; 2803669 - ETPRO SCADA Progea Movicon PowerHMI Memory Corruption<br>
&gt; Negative Content Length (scada.rules)<br>
&gt;&nbsp; 2805870 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Placms.F Checkin<br>
&gt; (mobile_malware.rules)<br>
&gt;&nbsp; 2807674 - ETPRO POLICY Primecoin (policy.rules)<br>
&gt;<br>
&gt;<br>
&gt; [///]&nbsp; &nbsp; Modified inactive rules:&nbsp; &nbsp; [///]<br>
&gt;<br>
&gt;&nbsp; 2018537 - ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID<br>
&gt; Overflow CVE-2014-3466 (web_client.rules)<br>
&gt;<br>
&gt;<br>
&gt; [---]&nbsp; Disabled and modified rules:&nbsp; [---]<br>
&gt;<br>
&gt;&nbsp; 2016763 - ET SCAN Non-Malicious SSH/SSL Scanner on the run (scan.rules)<br>
&gt;&nbsp; 2802971 - ETPRO TROJAN Killproc.5707/Generic Checkin Request 1 (trojan.rules)<br>
&gt;&nbsp; 2803088 - ETPRO DNS Bracket in DNS Query - Possible Covert Channel (dns.rules)<br>
&gt;<br>
&gt;<br>
&gt; [---]&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Disabled rules:&nbsp; &nbsp; &nbsp; &nbsp; [---]<br>
&gt;<br>
&gt;&nbsp; 2014893 - ET SCAN <a href="http://critical.io" target="_blank">critical.io</a> Scan (scan.rules)<br>
&gt; _______________________________________________<br>
</div></div>&gt; Emerging-updates mailing list<br>
&gt; <a href="mailto:Emerging-updates@...">Emerging-updates@...</a><br>
&gt; <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-updates" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-updates</a><br><br>
_______________________________________________<br>
Emerging-updates mailing list<br><a href="mailto:Emerging-updates@...">Emerging-updates@...</a><br><a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-updates" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-updates</a><br>
</blockquote>
</div>
<br>
</div>
</div>
Russell Fulton | 22 Aug 05:02 2014
Picon
Picon

more FPs: ET WEB_SERVER WebShell Generic - net user 2016680

Seeing FP on several of our blog sites.

R
Russell Fulton | 22 Aug 04:26 2014
Picon
Picon

likely FPs ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client 2014527

some hits associated with cloudfront.net others seem to be web session downloading source code.  A few are
delivering flash content.

Looks as if the rule setting the flowbit is not tight enough.

I will be disabling it.

R
Francis Trudeau | 22 Aug 00:25 2014
Picon

Daily Ruleset Update Summary 08/21/2014

 [***] Summary: [***]

 9 Open signatures, 21 Pro (9+13).  OneLouder, Machete, Various
Android, SillyFDC.

 Thanks:   <at> jaimeblascob,  <at> EKWatcher and Nathan Fowler.

 [+++]          Added rules:          [+++]

  Open:

  2018976 - ET MALWARE Hoic.zip retrieval (malware.rules)
  2018977 - ET MALWARE HOIC with booster outbound (malware.rules)
  2018978 - ET WEB_SERVER HOIC with booster inbound (web_server.rules)
  2018979 - ET TROJAN Miras C2 Activity (trojan.rules)
  2018980 - ET TROJAN Machete FTP activity (trojan.rules)
  2018981 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
(current_events.rules)
  2018982 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
exe download (current_events.rules)
  2018983 - ET CURRENT_EVENTS Probable OneLouder downloader (Zeus P2P)
(current_events.rules)
  2018984 - ET TROJAN PlugX variant (trojan.rules)

  Pro:

  2808599 - ETPRO TROJAN Win32/Bancos.DI HTTP callback (trojan.rules)
  2808600 - ETPRO TROJAN Backdoor.Perl.Shellbot.B IRC Checkin (trojan.rules)
  2808601 - ETPRO TROJAN Win32/Qhost.PGZ Checkin (trojan.rules)
  2808602 - ETPRO MOBILE_MALWARE Android/Crosate.N Checkin
(mobile_malware.rules)
  2808603 - ETPRO TROJAN Worm.Win32.SillyFDC Checkin (trojan.rules)
  2808604 - ETPRO TROJAN W32.Virut IRC checkin (trojan.rules)
  2808605 - ETPRO TROJAN Rogue.Win32/Defru Checkin (trojan.rules)
  2808606 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin
(mobile_malware.rules)
  2808607 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin 2
(mobile_malware.rules)
  2808608 - ETPRO MOBILE_MALWARE Android.Riskware.SMSPay.AO Checkin 3
(mobile_malware.rules)
  2808609 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 4
(mobile_malware.rules)
  2808610 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Iconosys.a Checkin 5
(mobile_malware.rules)
  2808611 - ETPRO TROJAN Win32/Spy.Usteal.C Checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM
(web_server.rules)
  2008411 - ET TROJAN LDPinch SMTP Password Report with mail client
The Bat! (trojan.rules)
  2009521 - ET TROJAN Win32/Nubjub.A HTTP Check-in  (trojan.rules)
  2009833 - ET SCAN WITOOL SQL Injection Scan (scan.rules)
  2010953 - ET SCAN Skipfish Web Application Scan Detected (scan.rules)
  2011894 - ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin (trojan.rules)
  2016913 - ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin
(sending user info) (trojan.rules)
  2802121 - ETPRO WORM Worm.Win32.Cospet.A Checkin (worm.rules)
  2802830 - ETPRO TROJAN Win32.Banksun.A Checkin (trojan.rules)
  2803129 - ETPRO TROJAN Palevo CnC Response (trojan.rules)
  2803669 - ETPRO SCADA Progea Movicon PowerHMI Memory Corruption
Negative Content Length (scada.rules)
  2805870 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Placms.F Checkin
(mobile_malware.rules)
  2807674 - ETPRO POLICY Primecoin (policy.rules)

 [///]    Modified inactive rules:    [///]

  2018537 - ET WEB_CLIENT Possible GnuTLS Client ServerHello SessionID
Overflow CVE-2014-3466 (web_client.rules)

 [---]  Disabled and modified rules:  [---]

  2016763 - ET SCAN Non-Malicious SSH/SSL Scanner on the run (scan.rules)
  2802971 - ETPRO TROJAN Killproc.5707/Generic Checkin Request 1 (trojan.rules)
  2803088 - ETPRO DNS Bracket in DNS Query - Possible Covert Channel (dns.rules)

 [---]         Disabled rules:        [---]

  2014893 - ET SCAN critical.io Scan (scan.rules)

Gmane