mex | 19 Dec 20:55 2014
Picon

FYI: possible RCE in NTPD


not much info nor poc yet:

- http://support.ntp.org/bin/view/Main/SecurityNotice (advisory, offline 
atm)
- http://www.kb.cert.org/vuls/id/852879

short summary from the advisory:

Buffer overflow in crypto_recv()
     Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 
file contains a
     crypto pw ...   directive) a remote attacker can send a carefully 
crafted packet that
     can overflow a stack buffer and potentially allow malicious code to 
be executed with
     the privilege level of the ntpd process

Buffer overflow in ctl_putdata()
     Summary: A remote attacker can send a carefully crafted packet that 
can overflow a
     stack buffer and potentially allow malicious code to be executed 
with the privilege
     level of the ntpd process.

Buffer overflow in configure()
     Summary: A remote attacker can send a carefully crafted packet that 
can overflow a
     stack buffer and potentially allow malicious code to be executed 
with the privilege
(Continue reading)

Colony.Three | 19 Dec 19:10 2014
Picon

Mass TOR Rule Modifications

I have one machine which serves as the LAN TOR gateway.  TOR traffic is authorized to and from this machine.

But I get blizzards of alerts to/from this machine and for two weeks I've been in a seemingly-unending exercise of rule modifications.  For every minute change in the character of a TOR packet I must rewrite that particular ET rule, and it is starting to look like I will never get them all.

This is practically unworkable.  Why are the TOR rules broken out in unending detail, and isn't the maintenance of hundreds of these rules by ET, time and resource-consuming, when there's little/no benefit from breaking them out so atomically?  Isn't there a global variable I can set which would control? 

I can't see the tree for the forest in this case.

<div><p>I have one machine which serves as the LAN TOR gateway.&nbsp; TOR traffic is authorized to and from this machine.<br><br>But I get blizzards of alerts to/from this machine and for two weeks I've been in a seemingly-unending exercise of rule modifications.&nbsp; For every minute change in the character of a TOR packet I must rewrite that particular ET rule, and it is starting to look like I will never get them all.<br><br>This is practically unworkable.&nbsp; Why are the TOR rules broken out in unending detail, and isn't the maintenance of hundreds of these rules by ET, time and resource-consuming, when there's little/no benefit from breaking them out so atomically?&nbsp; Isn't there a global variable I can set which would control?&nbsp; <br><br>I can't see the tree for the forest in this case.<br><br></p></div>
Kevin Ross | 19 Dec 09:53 2014

SIG:

This actually queries off HTTP port (8080). I have seen this pattern for a few days now though.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Dridex Distribution Campaign - Dec 2014"; flow:established,to_server; content:"/stat/lldv.php"; http_uri; depth:14; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; classtype:trojan-activity; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; sid:164991; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>This actually queries off HTTP port (8080). I have seen this pattern for a few days now though.<br><br>
</div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Dridex Distribution Campaign - Dec 2014"; flow:established,to_server; content:"/stat/lldv.php"; http_uri; depth:14; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/H"; classtype:trojan-activity; reference:url,<a href="http://blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html">blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html</a>; sid:164991; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
Russell Fulton | 19 Dec 03:05 2014
Picon
Picon

FYI: FP ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack Payload 2014445

Seeing hits from quite a few hosts on campus all against bbs.skykiwi.com

R

GET
/forum.php?mod=post&action=reply&fid=23&tid=2906726&repquote=47256619&extra=&page=1&infloat=yes&handlekey=reply&inajax=1&ajaxtarget=fwin_content_reply HTTP/1.1
Host: bbs.skykiwi.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/39.0.2171.95 Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: */*
Referer: http://bbs.skykiwi.com/forum.php?mod=viewthread&tid=2906726&page=1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,en-US;q=0.2
Cookie: 0Bpz_2132_home_readfeed=1412626640;
0Bpz_2132_ulastactivity=f2dc9DNdJUcePQKlXUejn7BRXzpEPsXRYhiz2yrfznWIS5JajGmW;  <lots more
stuff >
Francis Trudeau | 19 Dec 01:53 2014
Picon

Daily Ruleset Update Summary 12/18/2014

 [***] Summary: [***]

 7 new Open signatures, 17 new Pro (7 + 10).  Upatre, PhaseBot, Dyre, Angler EK.

 Thanks:  Kevin Ross and  <at> EKWatcher

 [+++]          Added rules:          [+++]

 Open:

  2019967 - ET CURRENT_EVENTS Evil Flash Redirector to RIG EK Dec 17
2014 (current_events.rules)
  2019968 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (2)
(current_events.rules)
  2019969 - ET CURRENT_EVENTS Angler EK XTEA encrypted binary (3)
(current_events.rules)
  2019970 - ET CURRENT_EVENTS Upatre Download Redirection Dec 18 2014
(current_events.rules)
  2019973 - ET CURRENT_EVENTS Archie EK T2 Activity Dec 18 2014
(current_events.rules)
  2019974 - ET MALWARE PUP W32/DownloadGuide.D (malware.rules)
  2019975 - ET TROJAN Syrian.Slideshow Sending Information via SMTP
(trojan.rules)

 Pro:

  2809363 - ETPRO TROJAN PhaseBot Checkin (trojan.rules)
  2809364 - ETPRO TROJAN Backdoor.Linux.Agent.H CnC (trojan.rules)
  2809365 - ETPRO WEB_SPECIFIC_APPS E-Journal SQLi Attempt
(web_specific_apps.rules)
  2809366 - ETPRO WEB_SPECIFIC_APPS ProjectSend Shell Upload Exploit
Attempt (web_specific_apps.rules)
  2809367 - ETPRO TROJAN Win32.Klmded Checkin (trojan.rules)
  2809368 - ETPRO TROJAN Dyre Keep-Alive POST (trojan.rules)
  2809369 - ETPRO TROJAN Dyre HTTP Request Headers (trojan.rules)
  2809370 - ETPRO TROJAN Dyre Credentials POST (trojan.rules)
  2809371 - ETPRO TROJAN EXE/SCR disguised as compressed PDF set (trojan.rules)
  2809372 - ETPRO TROJAN EXE/SCR disguised as compressed PDF (trojan.rules)

 [///]     Modified active rules:     [///]

  2019770 - ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20
2014 (current_events.rules)
  2019950 - ET CURRENT_EVENTS Malicious Referer Bulk Traffic Sometimes
Leading to EKs (Possible Bedep infection) Dec 16 2014
(current_events.rules)
  2809267 - ETPRO TROJAN W32/TinyZBot Connectivity Check (Operation
Cleaver) (trojan.rules)
Kevin Ross | 19 Dec 00:45 2014

SIG: ET POLICY DNS Query for Invisible Internet Project Domain

alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query for Invisible Internet Project Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|i2p|00|"; distance:0; classtype:policy-violation; reference:url,geti2p.net; sid:150331; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>
<div>alert udp $HOME_NET any -&gt; any 53 (msg:"ET POLICY DNS Query for Invisible Internet Project Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|i2p|00|"; distance:0; classtype:policy-violation; reference:url,<a href="http://geti2p.net">geti2p.net</a>; sid:150331; rev:1;)<br><br><br>
</div>Kind Regards,<br>
</div>Kevin Ross<br>
</div></div>
Kevin Ross | 18 Dec 17:27 2014

SIGS: ET MALWARE W32/DownloadGuide.D Adware

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadGuide.D Adware CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/config-from-production"; http_uri;  fast_pattern:only; content:"{|22|os|22 3A 22|"; http_client_body; depth:7; content:"|22|lang|22 3A 22|; http_client_body; distance:0;  content:"|22|uid|22 3A 22|"; http_client_body; distance:0; content:"|22|prod|22 3A 22|; http_client_body; distance:0; classtype:trojan-activity; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; sid:159991; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadGuide.D Adware CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"{|22|BuildId|22 3A 22|"; fast_pattern; http_client_body; depth:12; content:"|22|Client|22 3A 22|"; http_client_body; distance:0; content:"|22|DlgVersion|22 3A 22|"; http_client_body; distance:0; content:"|22|Culture|22 3A 22|"; http_client_body; distance:0; content:"|22|SessionId|22 3A 22|"; http_client_body; distance:0; content:"|22|MessageName|22 3A 22|"; http_client_body; distance:0; content:"|22|Campaign|22 3A 22|"; http_client_body; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; sid:159992; rev:1;)


Kind Regards,
Kevin Ross
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadGuide.D Adware CnC Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"/config-from-production"; http_uri;&nbsp; fast_pattern:only; content:"{|22|os|22 3A 22|"; http_client_body; depth:7; content:"|22|lang|22 3A 22|; http_client_body; distance:0;&nbsp; content:"|22|uid|22 3A 22|"; http_client_body; distance:0; content:"|22|prod|22 3A 22|; http_client_body; distance:0; classtype:trojan-activity; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; sid:159991; rev:1;)<br><br>
</div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/DownloadGuide.D Adware CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"{|22|BuildId|22 3A 22|"; fast_pattern; http_client_body; depth:12; content:"|22|Client|22 3A 22|"; http_client_body; distance:0; content:"|22|DlgVersion|22 3A 22|"; http_client_body; distance:0; content:"|22|Culture|22 3A 22|"; http_client_body; distance:0; content:"|22|SessionId|22 3A 22|"; http_client_body; distance:0; content:"|22|MessageName|22 3A 22|"; http_client_body; distance:0; content:"|22|Campaign|22 3A 22|"; http_client_body; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; sid:159992; rev:1;)<br><br><br>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
Francis Trudeau | 18 Dec 00:45 2014
Picon

Daily Ruleset Update Summary 12/17/2014

 [***] Summary: [***]

 10 new Open signatures, 24 new Pro (10 + 14).  CoolReaper, SoakSoak,
Spy.Banker.AAXV.

 Thanks:  Nathan Fowler, Kevin Ross,  <at> rmkml and  <at> abuse_ch.

 [+++]          Added rules:          [+++]

 Open:

  2019957 - ET WEB_SERVER Generic PHP Remote File Include (web_server.rules)
  2019958 - ET MOBILE_MALWARE CoolReaper CnC Beacon 1 (mobile_malware.rules)
  2019959 - ET MOBILE_MALWARE CoolReaper CnC Beacon 2 (mobile_malware.rules)
  2019960 - ET MOBILE_MALWARE CoolReaper User-Agent (mobile_malware.rules)
  2019961 - ET TROJAN Win32/Spy.Banker.AAXV Retrieving key from
Pinterest (trojan.rules)
  2019962 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS CnC) (trojan.rules)
  2019963 - ET SCAN Acunetix Accept HTTP Header detected scan in
progress (scan.rules)
  2019964 - ET TROJAN Win32.Backdoor checkin (trojan.rules)
  2019965 - ET TROJAN FinancialStatement Keylogger POSTing keystrokes
(trojan.rules)
  2019966 - ET TROJAN Win32/Poweliks.A Checkin 2 (trojan.rules)

 Pro:

  2809349 - ETPRO WEB_SPECIFIC_APPS Download Manager WP Plugin
Arbitrary File Upload 2 (web_specific_apps.rules)
  2809350 - ETPRO WEB_SPECIFIC_APPS Symposium WP Plugin Arbitrary File
Upload (web_specific_apps.rules)
  2809351 - ETPRO TROJAN Win32/Ratosto.A Checkin (trojan.rules)
  2809352 - ETPRO TROJAN Win32/ChkBot.A IRC Checkin (trojan.rules)
  2809353 - ETPRO WEB_SPECIFIC_APPS Download Manager WP Plugin RCE
Attempt (web_specific_apps.rules)
  2809354 - ETPRO TROJAN SoakSoak Malware Checkin (trojan.rules)
  2809355 - ETPRO TROJAN Backdoor.Win32.Speccom.A Checkin (trojan.rules)
  2809356 - ETPRO TROJAN Win32/Locker.Nikifer Checkin (trojan.rules)
  2809357 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.b
Checkin 2 (mobile_malware.rules)
  2809358 - ETPRO TROJAN Win32/Injector.BRLE Checkin (trojan.rules)
  2809359 - ETPRO TROJAN Win32/Injector.BRLE Checkin Response - Fake
Internal Server Error (trojan.rules)
  2809360 - ETPRO TROJAN Win32.Staser.aqkw Checkin (trojan.rules)
  2809361 - ETPRO POLICY Win32/RemoteAdmin.RemoteUtilities XML Checkin
(policy.rules)
  2809362 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Wroba.f
Checkin (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2019193 - ET CURRENT_EVENTS RIG EK Landing Page Sept 17 2014
(current_events.rules)
  2019939 - ET CURRENT_EVENTS SoakSoak Malware GET request
(current_events.rules)
  2805646 - ETPRO TROJAN Backdoor.Win32.Bezigate Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2002385 - ET TROJAN IRC channel topic reptile commands (trojan.rules)
  2807684 - ETPRO TROJAN Trojan.Agent.AIXD Checkin (trojan.rules)
  2808731 - ETPRO TROJAN Win32.QQPass.abvu Retrieving key from
Pinterest (trojan.rules)
Nathan | 17 Dec 18:07 2014
Picon

Proposed Signature - ET SCAN Acunetix Accept HTTP Header detected scan in progress

Hello, I propose the below rule to detect on Acunetix in the Accept HTTP
Header.  While there is coverage for Acunetix in 2008571 and 2009646 I believe
we can add more comprehensive facet of detection by including the below which
does not fixate on User-Agent like 2009646 or single URI like 2008571 and is
more fixated on actual HTTP Header structure.

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
msg:"ET SCAN Acunetix Accept HTTP Header detected scan in progress"; 
flow:established,to_server; 
content:"Accept|3a 20|acunetix"; http_header;
threshold: type limit, count 1, seconds 60, track by_src; 
reference:url,www.acunetix.com/; 
classtype:attempted-recon; sid:x; rev:x;)

Example Observed Traffic:

GET /css/phpliteadmin.php HTTP/1.1
Accept: acunetix/wvs
Cookie: JSESSIONID=REDACTED; lamFlashIntro=yes
Host: REDACTED
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)

Cheers,
Nathan

Kevin Ross | 17 Dec 16:59 2014

SIGS: TROJAN & MALWARE

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORT (msg:"ET MALWARE W32/MultiPlug.Adware CnC Beacon"; flow:established,to_server; content:"/?step_id="; http_uri; content:"&installer_id="; http_uri; content:"&country_code="; http_uri; content:"&browser_id="; http_uri; content:"&download_id="; http_uri; content:"&hardware_id="; http_uri; content:"&installer_file_name="; http_uri; content:"&project_encode_id="; http_uri; classtype:trojan-activity; reference:md5,79af910077289bebf72b4ce167f74a6f; sid:169881; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PWS.Stealer.13336 CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action="; http_uri; content:"&username="; http_uri; content:"&password="; http_uri; content:"&app="; http_uri; content:"&pcname="; http_uri; content:"&sitename="; http_uri; classtype:trojan-activity; reference:md5,e173ac6bc32e5d5d3696eaf14a5841e3; sid:169882; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PWS.Stealer.13336 Specific User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| HardCore Software For |3A| "; http_header; fast_pattern:12,20; classtype:trojan-activity; reference:md5,e173ac6bc32e5d5d3696eaf14a5841e3; sid:169883; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN POST To Index.php/html IP Host With No Referer - Common Trojan Beacon Struct"; flow:established,to_server; content:"POST"; http_method; content:"/index."; http_uri; pcre:"/\x2Findex\x2E(php|html)$/U"; content:!"Referer|3A|"; http_header; content:"Host|3A|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1; within:3; pcre:"/Host\x3A\x20\d{1,3}\x2Ed{1,3}\x2Ed{1,3}\x2Ed{1,3}/H"; classtype:trojan-activity; sid:169884; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Banker.AAXV Pinterest Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/pin/"; http_uri; depth:5; content:"User-Agent: Internet Explorer 6.0"; http_header; fast_pattern:12,20; content:"HTTP/1.1|0D 0A|User-Agent|3A| Internet Explorer 6.0|0D 0A|Host|3A| www.pinterest.com|0D 0A 0D 0A|"; classtype:trojan-activity; reference:md5,d48b9589424e6ba3b253b449766e6070; sid:169885; rev:1;)

Kind Regards,
Kevin Ross
<div><div dir="ltr">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORT (msg:"ET MALWARE W32/MultiPlug.Adware CnC Beacon"; flow:established,to_server; content:"/?step_id="; http_uri; content:"&amp;installer_id="; http_uri; content:"&amp;country_code="; http_uri; content:"&amp;browser_id="; http_uri; content:"&amp;download_id="; http_uri; content:"&amp;hardware_id="; http_uri; content:"&amp;installer_file_name="; http_uri; content:"&amp;project_encode_id="; http_uri; classtype:trojan-activity; reference:md5,79af910077289bebf72b4ce167f74a6f; sid:169881; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PWS.Stealer.13336 CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action="; http_uri; content:"&amp;username="; http_uri; content:"&amp;password="; http_uri; content:"&amp;app="; http_uri; content:"&amp;pcname="; http_uri; content:"&amp;sitename="; http_uri; classtype:trojan-activity; reference:md5,e173ac6bc32e5d5d3696eaf14a5841e3; sid:169882; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PWS.Stealer.13336 Specific User Agent Detected"; flow:established,to_server; content:"User-Agent|3A| HardCore Software For |3A| "; http_header; fast_pattern:12,20; classtype:trojan-activity; reference:md5,e173ac6bc32e5d5d3696eaf14a5841e3; sid:169883; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN POST To Index.php/html IP Host With No Referer - Common Trojan Beacon Struct"; flow:established,to_server; content:"POST"; http_method; content:"/index."; http_uri; pcre:"/\x2Findex\x2E(php|html)$/U"; content:!"Referer|3A|"; http_header; content:"Host|3A|"; http_header; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1; within:3; content:"|2E|"; http_header; distance:1; within:3; pcre:"/Host\x3A\x20\d{1,3}\x2Ed{1,3}\x2Ed{1,3}\x2Ed{1,3}/H"; classtype:trojan-activity; sid:169884; rev:1;)<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Spy.Banker.AAXV Pinterest Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/pin/"; http_uri; depth:5; content:"User-Agent: Internet Explorer 6.0"; http_header; fast_pattern:12,20; content:"HTTP/1.1|0D 0A|User-Agent|3A| Internet Explorer 6.0|0D 0A|Host|3A| <a href="http://www.pinterest.com">www.pinterest.com</a>|0D 0A 0D 0A|"; classtype:trojan-activity; reference:md5,d48b9589424e6ba3b253b449766e6070; sid:169885; rev:1;)<br><br><div>Kind Regards,<br>Kevin Ross<br>
</div>
</div></div>
Chuan Wei Lee | 17 Dec 04:12 2014
Picon

Question about SoakSoak Malware signature

Hi,I was looking into this signature and realized that the rule to match the content for "/etas/code" may be wrong.=================================alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/etas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:1;)=================================I've looked around but there are no references to this. Should it be "/xteas/code" instead or am I missing something?Any advise?Thanks!
Regards,Nicholas Lee
<div><div dir="ltr">Hi,I was looking into this signature and realized that the rule to match the content for "/etas/code" may be wrong.=================================alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/etas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,<a href="http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html" target="_blank">blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html</a>; classtype:trojan-activity; sid:2019939; rev:1;)=================================I've looked around but there are no references to this. Should it be "/xteas/code" instead or am I missing something?Any advise?Thanks!<br>Regards,Nicholas Lee</div></div>

Gmane