Francis Trudeau | 18 Apr 00:12 2014
Picon

Daily Ruleset Update Summary 04/17/2014

 [***] Summary: [***]

 2 new Open signatures, 10 new Pro (2+8).  BitCrypt, Various
AndroidOS, Destrukor.

 [+++]          Added rules:          [+++]

 Open:

  2018399 - ET TROJAN BitCrypt site accessed via .onion SSL Proxy (trojan.rules)
  2018400 - ET TROJAN BitCrypt Ransomware Domain (trojan.rules)

 Pro:

  2807962 - ETPRO TROJAN Trojan-PSW.Win32.Tepfer.tlha Checkin (trojan.rules)
  2807963 - ETPRO TROJAN Win32.Induc.O Checkin (trojan.rules)
  2807964 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.ig Checkin
(mobile_malware.rules)
  2807965 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.ABQ Checkin
(mobile_malware.rules)
  2807966 - ETPRO TROJAN W32.Tinba/Zusy Checkin 2 (trojan.rules)
  2807967 - ETPRO TROJAN Backdoor.Win32.Destrukor.20 Checkin (trojan.rules)
  2807968 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Marcher.a
Checkin (mobile_malware.rules)
  2807969 - ETPRO TROJAN Betabot.3 checkin (trojan.rules)

 [///]     Modified active rules:     [///]

  2015576 - ET CURRENT_EVENTS DNS Query to tor2web Domain (.onion
proxy) (current_events.rules)
(Continue reading)

Anshuman Anil Deshmukh | 17 Apr 19:34 2014

Re: [Snort-users] Some signatures not appearing in the log

That reminds me to give additional information on my issue. Which is - I'm using the free set of signatures
from ERT & Sourcefire. So in my case VRT is out of scope.

Regards,
Anshuman

Sent from Handheld

On 17-Apr-2014 5:37 pm, Conma <conma293 <at> gmail.com> wrote:
>
> I thought that if you set the 'security' policy setting in pulled pork it only downloads VRT but this does
not seem to be the case...
>
> Sorry to ask another question on your thread but I seem to only be getting alert descriptions for some (I
think predom vrt) rules, while a lot just say the stupid snort rule 1:2464454 thing....
>
> Any guidance on this? Assumed that was from the Sid-MSG.map which pulled pork updates anyways?
>
> Sent from my iPad
>
> On 17/04/2014, at 7:55 pm, Anshuman Anil Deshmukh <anshuman <at> cybage.com> wrote:
>
>> Hi,
>>
>>  
>>
>> I was just referring to the latest signature Daily Ruleset update summary with my latest log for
signature updates. I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE
Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)". If I am not mistaken
ultimately all the rules should get downloaded no matter which rule state we use. Rule state would just
(Continue reading)

Dewhirst, Rob | 17 Apr 18:33 2014
Picon

negated variables in rules

We were testing another sensor today and found that several rules
won't work (in our case import) because they use negated variables
that might (or do) evaluate to "!any" for a src or dst.

I noticed my (very old) Beale Snort book actually mentions this rule
writing practice was dropped from the default Snort rule set because
of this logic issue.

Is there a technical reason ET has rules using:

!$DNS_SERVERS any -> $DNS_SERVERS
!$SMTP_SERVERS  any -> !$HOME_NET
![$DNS_SERVERS,$SMTP_SERVERS]

Or are these rules just old and no one has used "any" for these
variables before?
Anshuman Anil Deshmukh | 17 Apr 09:55 2014

Some signatures not appearing in the log

Hi,

 

I was just referring to the latest signature Daily Ruleset update summary with my latest log for signature updates. I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)". If I am not mistaken ultimately all the rules should get downloaded no matter which rule state we use. Rule state would just enable or disable the rule depending upon which rule state is configured.

 

I am using the state "Security over connectivity". Pulledpork 0.70 is used to update the rules, we are on Snort 2.9.5 GRE (Build 103) . I understand that the Snort version is quite old but as I am already getting all other signatures it doesn’t look an issue with snort version, right? This is my test setup and it is used for learning purpose.

 

See below log extract from sid_changes.log.

 

Thank you in advance.

 

-=Begin Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-

 

New Rules

     ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (1:2405088)

     ET CNC Zeus Tracker Reported CnC Server TCP group 24 (1:2404196)

     ET CNC Zeus Tracker Reported CnC Server UDP group 24 (1:2404197)

     ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 (1:2500080)

     ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42 (1:2500082)

     ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 41 (1:2500081)

     ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42 (1:2500083)

     ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (1:2018396)

     ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (1:2018395)

     ET TROJAN Common Upatre Header Structure (1:2018394)

     ET TROJAN CryptoDefense DNS Domain Lookup (1:2018397)

     ET TROJAN plasmabot Checkin (1:2018393)

 

Deleted Rules

     ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38 (1:2403374)

     ET CINS Active Threat Intelligence Poor Reputation IP UDP group 38 (1:2403375)

     ET CNC Spyeye Tracker Reported CnC Server TCP group 13 (1:2404124)

     ET CNC Spyeye Tracker Reported CnC Server UDP group 13 (1:2404125)

     ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 509 (1:2523016)

     ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 509 (1:2523017)

 

Set Policy: security

 

Rule Totals

     New:-------12

     Deleted:---6

     Enabled:---6148

     Dropped:---0

     Disabled:--32295

     Total:-----38443

 

IP Blacklist Stats

     Total IPs:-----2590

 

-=End Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-

 

 

Regards,

Anshuman

 

-----Original Message-----
From: emerging-updates-bounces-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org [mailto:emerging-updates-bounces-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org] On Behalf Of Francis Trudeau
Sent: Thursday, April 17, 2014 4:28 AM
To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List
Subject: [Emerging-updates] Daily Ruleset Update Summary 04/16/2014

 

[***] Summary: [***]

 

6 new Open signatures, 16 new Pro (6/10).  CryptoDefense, Nuclear EK, InstallBrain, Hupigon.

 

Thanks:  Nathan Fowler, tdzmont, <at> EKWatcher

 

[+++]          Added rules:          [+++]

 

Open:

 

  2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)

  2018393 - ET TROJAN plasmabot Checkin (trojan.rules)

  2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)

  2018395 - ET TROJAN  Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules)

  2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert

(current_events.rules)

  2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)

 

Pro:

 

  2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)

  2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)

  2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)

  2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)

  2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)

  2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin

(trojan.rules)

  2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules)

  2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin

(mobile_malware.rules)

  2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)

  2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014

(current_events.rules)

 

 

[///]     Modified active rules:     [///]

 

  2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure

(trojan.rules)

  2017714 - ET TROJAN PlugX Checkin (trojan.rules)

  2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)

  2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)

  2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response

(current_events.rules)

  2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2

(current_events.rules)

  2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)

  2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)

 

 

[---]         Removed rules:         [---]

 

  2003548 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin

(malware.rules)

  2008282 - ET TROJAN Antispywaremaster.com Fake AV Checkin (trojan.rules) _______________________________________________

Emerging-updates mailing list

Emerging-updates-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org

https://lists.emergingthreats.net/mailman/listinfo/emerging-updates

 


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com

<div>
<div class="WordSection1">
<p class="MsoPlainText">Hi,<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">I was just referring to the latest signature Daily Ruleset update summary with my latest log for signature updates. I see that one of the signature is missing. Signature missing is "2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com
 Fake AV Checkin (malware.rules)". If I am not mistaken ultimately all the rules should get downloaded no matter which rule state we use. Rule state would just enable or disable the rule depending upon which rule state is configured.
<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">I am using the state "Security over connectivity". Pulledpork 0.70 is used to update the rules, we are on Snort 2.9.5 GRE (Build 103) . I understand that the Snort version is quite old but as I am already getting all other signatures
 it doesn&rsquo;t look an issue with snort version, right? This is my test setup and it is used for learning purpose.<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">See below log extract from sid_changes.log.<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">Thank you in advance.<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText"><span>-=Begin Changes Logged for
<span>Thu Apr 17 </span>07:20:33 2014 GMT=-<p></p></span></p>
<p class="MsoPlainText"><span><p>&nbsp;</p></span></p>
<p class="MsoPlainText"><span>New Rules<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 (1:2405088)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CNC Zeus Tracker Reported CnC Server TCP group 24 (1:2404196)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CNC Zeus Tracker Reported CnC Server UDP group 24 (1:2404197)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 41 (1:2500080)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 42 (1:2500082)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 41 (1:2500081)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET COMPROMISED Known Compromised or Hostile Host Traffic UDP group 42 (1:2500083)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert (1:2018396)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET TROJAN&nbsp; Possible Kelihos.F EXE Download Common Structure 2 (1:2018395)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET TROJAN Common Upatre Header Structure (1:2018394)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET TROJAN CryptoDefense DNS Domain Lookup (1:2018397)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET TROJAN plasmabot Checkin (1:2018393)<p></p></span></p>
<p class="MsoPlainText"><span><p>&nbsp;</p></span></p>
<p class="MsoPlainText"><span>Deleted Rules<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CINS Active Threat Intelligence Poor Reputation IP TCP group 38 (1:2403374)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CINS Active Threat Intelligence Poor Reputation IP UDP group 38 (1:2403375)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CNC Spyeye Tracker Reported CnC Server TCP group 13 (1:2404124)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET CNC Spyeye Tracker Reported CnC Server UDP group 13 (1:2404125)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET TOR Known Tor Relay/Router (Not Exit) Node TCP Traffic group 509 (1:2523016)<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; ET TOR Known Tor Relay/Router (Not Exit) Node UDP Traffic group 509 (1:2523017)<p></p></span></p>
<p class="MsoPlainText"><span><p>&nbsp;</p></span></p>
<p class="MsoPlainText"><span>Set Policy: security<p></p></span></p>
<p class="MsoPlainText"><span><p>&nbsp;</p></span></p>
<p class="MsoPlainText"><span>Rule Totals<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; New:-------12<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; Deleted:---6<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; Enabled:---6148<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; Dropped:---0<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; Disabled:--32295<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; Total:-----38443<p></p></span></p>
<p class="MsoPlainText"><span><p>&nbsp;</p></span></p>
<p class="MsoPlainText"><span>IP Blacklist Stats<p></p></span></p>
<p class="MsoPlainText"><span>&nbsp;&nbsp;&nbsp;&nbsp; Total IPs:-----2590<p></p></span></p>
<p class="MsoPlainText"><span><p>&nbsp;</p></span></p>
<p class="MsoPlainText"><span>-=End Changes Logged for Thu Apr 17 07:20:33 2014 GMT=-<p></p></span></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">Regards,<p></p></p>
<p class="MsoPlainText">Anshuman <p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: emerging-updates-bounces@... [mailto:emerging-updates-bounces@...] On Behalf Of Francis Trudeau<br><span>Sent: Thursday, April 17, 2014 4:28 AM<br></span>To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List<br>
Subject: [Emerging-updates] Daily Ruleset Update Summary 04/16/2014</p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">[***] Summary: [***]<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">6 new Open signatures, 16 new Pro (6/10).&nbsp; CryptoDefense, Nuclear EK, InstallBrain, Hupigon.<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">Thanks:&nbsp; Nathan Fowler, tdzmont,  <at> EKWatcher<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">[+++]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Added rules:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [+++]<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">Open:<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText"><span>&nbsp; 2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin (malware.rules)<p></p></span></p>
<p class="MsoPlainText">&nbsp; 2018393 - ET TROJAN plasmabot Checkin (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018395 - ET TROJAN&nbsp; Possible Kelihos.F EXE Download Common Structure 2 (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert<p></p></p>
<p class="MsoPlainText">(current_events.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">Pro:<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">&nbsp; 2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin<p></p></p>
<p class="MsoPlainText">(trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin<p></p></p>
<p class="MsoPlainText">(mobile_malware.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014<p></p></p>
<p class="MsoPlainText">(current_events.rules)<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">[///]&nbsp;&nbsp;&nbsp;&nbsp; Modified active rules:&nbsp;&nbsp;&nbsp;&nbsp; [///]<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">&nbsp; 2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure<p></p></p>
<p class="MsoPlainText">(trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2017714 - ET TROJAN PlugX Checkin (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response<p></p></p>
<p class="MsoPlainText">(current_events.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2<p></p></p>
<p class="MsoPlainText">(current_events.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">[---]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Removed rules:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [---]<p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
<p class="MsoPlainText">&nbsp; 2003548 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin<p></p></p>
<p class="MsoPlainText">(malware.rules)<p></p></p>
<p class="MsoPlainText">&nbsp; 2008282 - ET TROJAN Antispywaremaster.com Fake AV Checkin (trojan.rules) _______________________________________________<p></p></p>
<p class="MsoPlainText">Emerging-updates mailing list<p></p></p>
<p class="MsoPlainText"><a href="mailto:Emerging-updates@...threats.net"><span>Emerging-updates@...</span></a><p></p></p>
<p class="MsoPlainText"><a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-updates"><span>https://lists.emergingthreats.net/mailman/listinfo/emerging-updates</span></a><p></p></p>
<p class="MsoPlainText"><p>&nbsp;</p></p>
</div>
<br clear="all"><p><span>"Legal Disclaimer: This 

electronic message and all contents contain information from Cybage Software Private 

Limited which may be privileged, confidential, or otherwise protected from disclosure. 

The information is intended to be for the addressee(s) only. If you are not an 

addressee, any disclosure, copy, distribution, or use of the contents of this message 

is strictly prohibited. If you have received this electronic message in error please 

notify the sender by reply e-mail to and destroy the original message and all copies. 

Cybage has taken every reasonable precaution to minimize the risk of malicious content 

in the mail, but is not liable for any damage you may sustain as a result of any 

malicious content in this e-mail. You should carry out your own malicious content 

checks before opening the e-mail or attachment." 
www.cybage.com<p></p></span></p>
</div>
Francis Trudeau | 17 Apr 00:58 2014
Picon

Daily Ruleset Update Summary 04/16/2014

 [***] Summary: [***]

 6 new Open signatures, 16 new Pro (6/10).  CryptoDefense, Nuclear EK,
InstallBrain, Hupigon.

 Thanks:  Nathan Fowler, tdzmont,  <at> EKWatcher

 [+++]          Added rules:          [+++]

 Open:

  2008282 - ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake
AV Checkin (malware.rules)
  2018393 - ET TROJAN plasmabot Checkin (trojan.rules)
  2018394 - ET TROJAN Common Upatre Header Structure (trojan.rules)
  2018395 - ET TROJAN  Possible Kelihos.F EXE Download Common
Structure 2 (trojan.rules)
  2018396 - ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert
(current_events.rules)
  2018397 - ET TROJAN CryptoDefense DNS Domain Lookup (trojan.rules)

 Pro:

  2807952 - ETPRO MALWARE Win32/ZvuZona.B Checkin (malware.rules)
  2807953 - ETPRO TROJAN Backdoor.Win32.Hupigon.occc Checkin (trojan.rules)
  2807954 - ETPRO TROJAN Win32/Rirlged.gen!A Checkin (trojan.rules)
  2807955 - ETPRO TROJAN Win32/Injector.Autoit.ZZ (trojan.rules)
  2807956 - ETPRO TROJAN Win32/AntiAV.NIN Download (trojan.rules)
  2807957 - ETPRO TROJAN Trojan-Dropper.Win32.Injector.kbly Checkin
(trojan.rules)
  2807958 - ETPRO MALWARE InstallBrain Checkin (malware.rules)
  2807959 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin
(mobile_malware.rules)
  2807960 - ETPRO TROJAN AutoIt/Clodow.gen!A (trojan.rules)
  2807961 - ETPRO CURRENT_EVENTS Nuclear EK Landing Apr 16 2014
(current_events.rules)

 [///]     Modified active rules:     [///]

  2017598 - ET TROJAN Possible Kelihos.F EXE Download Common Structure
(trojan.rules)
  2017714 - ET TROJAN PlugX Checkin (trojan.rules)
  2018362 - ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF (current_events.rules)
  2018372 - ET CURRENT_EVENTS Malformed HeartBeat Request (current_events.rules)
  2018373 - ET CURRENT_EVENTS Malformed HeartBeat Response
(current_events.rules)
  2018374 - ET CURRENT_EVENTS Malformed HeartBeat Request method 2
(current_events.rules)
  2807273 - ETPRO TROJAN Trojan.Ransom.BV Checkin (trojan.rules)
  2807950 - ETPRO TROJAN Win.Trojan.Hupigon-8559 Checkin (trojan.rules)

 [---]         Removed rules:         [---]

  2003548 - ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin
(malware.rules)
  2008282 - ET TROJAN Antispywaremaster.com Fake AV Checkin (trojan.rules)
Francis Trudeau | 16 Apr 01:16 2014
Picon

Daily Ruleset Update Summary 04/15/2014

 [***] Summary: [***]

 2 new Open signatures, 4 new Pro (2/2).  Zegost, ProRat.

 [+++]          Added rules:          [+++]

  2018390 - ET TROJAN Backdoor Win32/Zegost.Q CnC traffic (OUTBOUND)
(trojan.rules)
  2018392 - ET ATTACK_RESPONSE Possible  MS CMD Shell opened on local
system 2 (attack_response.rules)
  2807950 - ETPRO TROJAN Backdoor.Win32.ProRat Checkin (trojan.rules)
  2807951 - ETPRO TROJAN Win32.Wapomi.AA CnC (OUTBOUND) (trojan.rules)

 [///]     Modified active rules:     [///]

  2011582 - ET POLICY Vulnerable Java Version 1.6.x Detected (policy.rules)
  2014297 - ET POLICY Vulnerable Java Version 1.7.x Detected (policy.rules)
  2017412 - ET TROJAN Gh0st_Apple Checkin (trojan.rules)
  2805345 - ETPRO TROJAN Troj/Mdrop-DXT checkin 1 (trojan.rules)
  2805970 - ETPRO TROJAN Backdoor.Win32.MoSucker.23 reporting via ICQ
WWW script (trojan.rules)

 [---]         Removed rules:         [---]

  2014629 - ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr
folder plus js.js (current_events.rules)
  2015709 - ET CURRENT_EVENTS Possible Blackhole Landing to 7-8 chr
folder plus index.htm or index.html (current_events.rules)
  2804470 - ETPRO TROJAN PWS-Spyeye.eo Checkin (trojan.rules)
Noah Dunker | 15 Apr 17:48 2014

SMTP FP on Heartbleed response 2018382

Truncated tcpdump. I don't think I've seen anyone run TLS on port 25. Is that even a thing?  We've seen about a dozen of these on port 25, and I'm wondering why the SID even look for this port.

08:54:06.681251 IP (tos 0x0, ttl 64, id 2966, offset 0, flags [DF], proto TCP (6), length 1400)
    10.10.1.78.25 > 128.130.204.91.39225: Flags [.], cksum 0x48b1 (correct), seq 1:1349, ack 8, win 8256, options [nop,nop,TS val 1441880665 ecr 955885512], length 1348
        0x0000:  0001 0800 4500 0578 0b96 4000 4006 d1b4  ....E..x.. <at> . <at> ...
        0x0010:  0a0a 014e 8082 cc5b 0019 9939 3794 e042  ...N...[...97..B
        0x0020:  da47 b825 8010 2040 48b1 0000 0101 080a  .G.%... <at> H.......
        0x0030:  55f1 5a59 38f9 a7c8 1803 0240 0002 4000  U.ZY8...... <at> .. <at> .
        0x0040:  d803 0253 435b 909d 9b72 0bbc 0cbc 2b92  ...SC[...r....+.
        0x0050:  a848 97cf bd39 04cc 160a 8503 909f 7704  .H...9........w.
        0x0060:  33d4 de00 0066 c014 c00a c022 c021 0039  3....f.....".!.9
        0x0070:  0038 0088 0087 c00f c005 0035 0084 c012  .8.........5....
        0x0080:  c008 c01c c01b 0016 0013 c00d c003 000a  ................
        0x0090:  c013 c009 c01f c01e 0033 0032 009a 0099  .........3.2....
        0x00a0:  0045 0044 c00e c004 002f 0096 0041 c011  .E.D...../...A..
        0x00b0:  c007 c00c c002 0005 0004 0015 0012 0009  ................
        0x00c0:  0014 0011 0008 0006 0003 00ff 0100 0049  ...............I
        0x00d0:  000b 0004 0300 0102 000a 0034 0032 000e  ...........4.2..
        0x00e0:  000d 0019 000b 000c 0018 0009 000a 0016  ................
        0x00f0:  0017 0008 0006 0007 0014 0015 0004 0005  ................
        0x0100:  0012 0013 0001 0002 0003 000f 0010 0011  ................

... actual email headers and body in the rest of the packet ...

Noah Dunker, Security Analyst
RiskAnalytics, LLC
13220 Metcalf, Suite 250
Overland Park, KS 66213
Office - 913-685-6517
<div><div dir="ltr">
<div>Truncated tcpdump. I don't think I've seen anyone run TLS on port 25. Is that even a thing? &nbsp;We've seen about a dozen of these on port 25, and I'm wondering why the SID even look for this port.</div>
<div><br></div>
<div>08:54:06.681251 IP (tos 0x0, ttl 64, id 2966, offset 0, flags [DF], proto TCP (6), length 1400)</div>
<div>&nbsp; &nbsp; 10.10.1.78.25 &gt; 128.130.204.91.39225: Flags [.], cksum 0x48b1 (correct), seq 1:1349, ack 8, win 8256, options [nop,nop,TS val 1441880665 ecr 955885512], length 1348</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x0000: &nbsp;0001 0800 4500 0578 0b96 4000 4006 d1b4 &nbsp;....E..x.. <at> . <at> ...</div>
<div>
&nbsp; &nbsp; &nbsp; &nbsp; 0x0010: &nbsp;0a0a 014e 8082 cc5b 0019 9939 3794 e042 &nbsp;...N...[...97..B</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x0020: &nbsp;da47 b825 8010 2040 48b1 0000 0101 080a &nbsp;.G.%... <at> H.......</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x0030: &nbsp;55f1 5a59 38f9 a7c8 1803 0240 0002 4000 &nbsp;U.ZY8...... <at> .. <at> .</div>
<div>
&nbsp; &nbsp; &nbsp; &nbsp; 0x0040: &nbsp;d803 0253 435b 909d 9b72 0bbc 0cbc 2b92 &nbsp;...SC[...r....+.</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x0050: &nbsp;a848 97cf bd39 04cc 160a 8503 909f 7704 &nbsp;.H...9........w.</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x0060: &nbsp;33d4 de00 0066 c014 c00a c022 c021 0039 &nbsp;3....f.....".!.9</div>
<div>
&nbsp; &nbsp; &nbsp; &nbsp; 0x0070: &nbsp;0038 0088 0087 c00f c005 0035 0084 c012 &nbsp;.8.........5....</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x0080: &nbsp;c008 c01c c01b 0016 0013 c00d c003 000a &nbsp;................</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x0090: &nbsp;c013 c009 c01f c01e 0033 0032 009a 0099 &nbsp;.........3.2....</div>
<div>
&nbsp; &nbsp; &nbsp; &nbsp; 0x00a0: &nbsp;0045 0044 c00e c004 002f 0096 0041 c011 &nbsp;.E.D...../...A..</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x00b0: &nbsp;c007 c00c c002 0005 0004 0015 0012 0009 &nbsp;................</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x00c0: &nbsp;0014 0011 0008 0006 0003 00ff 0100 0049 &nbsp;...............I</div>
<div>
&nbsp; &nbsp; &nbsp; &nbsp; 0x00d0: &nbsp;000b 0004 0300 0102 000a 0034 0032 000e &nbsp;...........4.2..</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x00e0: &nbsp;000d 0019 000b 000c 0018 0009 000a 0016 &nbsp;................</div>
<div>&nbsp; &nbsp; &nbsp; &nbsp; 0x00f0: &nbsp;0017 0008 0006 0007 0014 0015 0004 0005 &nbsp;................</div>
<div>
&nbsp; &nbsp; &nbsp; &nbsp; 0x0100: &nbsp;0012 0013 0001 0002 0003 000f 0010 0011 &nbsp;................</div>
<div><br></div>
<div>... actual email headers and body in the rest of the packet ...</div>
<div>
<div dir="ltr">
<br>Noah Dunker, Security Analyst<div>
RiskAnalytics, LLC</div>
<div>13220 Metcalf, Suite 250</div>
<div>Overland Park, KS 66213</div>
<div>Office -&nbsp;913-685-6517</div>
</div>
</div>
</div></div>
Francis Trudeau | 15 Apr 01:25 2014
Picon

Daily Ruleset Update Summary 04/14/2014

 [***] Summary: [***]

 6 new Open rules, 9 new Pro (6/3).  Zeus, AndroidOS.FakeInst, HeartBleed.

 Thanks:  Paul Schmehl, Kevin Ross,  <at> kafeine,  <at> EKWatcher.

 [+++]          Added rules:          [+++]

 Open:

  2018384 - ET CURRENT_EVENTS Zeus.Downloader Campaign Unknown Initial
CnC Beacon 10/4/2014 (current_events.rules)
  2018385 - ET CURRENT_EVENTS Zeus.Downloader Campaign Second Stage
Executable Request 10/4/2014 (current_events.rules)
  2018386 - ET TROJAN Trojan.Win32.Yakes.ehof Checkin (trojan.rules)
  2018387 - ET CURRENT_EVENTS Angler EK Landing Apr 14 2014
(current_events.rules)
  2018388 - ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted
Request Method 4 (Inbound to Common SSL Port) (current_events.rules)
  2018389 - ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted
Request Method 3 (Inbound to Common SSL Port) (current_events.rules)

 Pro:

  2804753 - ETPRO TROJAN Win32/Wadolin.A Checkin (trojan.rules)
  2807948 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ft
Checkin (mobile_malware.rules)
  2807949 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ft
Checkin 2 (mobile_malware.rules)

 [///]     Modified active rules:     [///]

  2003335 - ET USER_AGENTS 2search.org User Agent (2search) (user_agents.rules)
  2003346 - ET MALWARE Errorsafe.com Fake antispyware User-Agent
(ErrorSafe) (malware.rules)
  2003626 - ET MALWARE Double User-Agent (User-Agent User-Agent) (malware.rules)
  2009971 - ET P2P eMule KAD Network Hello Request (2) (p2p.rules)
  2010162 - ET WEB_SERVER Possible Successful Juniper NetScreen
ScreenOS Firmware Version Disclosure Attempt (web_server.rules)
  2011503 - ET EXPLOIT Successful Etrust Secure Transaction Platform
Identification and Entitlements Server File Disclosure Attempt
(exploit.rules)
  2011800 - ET POLICY Abnormal User-Agent No space after colon -
Likely Hostile (policy.rules)
  2012865 - ET TROJAN Vinself Backdoor Checkin (trojan.rules)
  2013195 - ET MALWARE Win32.EZula Adware Reporting Successful Install
(malware.rules)
  2013199 - ET TROJAN Trojan/Hacktool.Sniffer Successful Install
Message (trojan.rules)
  2013423 - ET TROJAN User-Agent in Referer Field - Likely Malware
(trojan.rules)
  2014103 - ET WEB_SERVER Unusually Fast HTTP Requests With Referer
Url Matching DoS Tool (web_server.rules)
  2014302 - ET TROJAN Suspicious HTTP Referer C Drive Path (trojan.rules)
  2014758 - ET TROJAN Trojan.BAT.Qhost - SET (trojan.rules)
  2014759 - ET TROJAN Trojan.BAT.Qhost Response from Controller (trojan.rules)
  2017031 - ET CURRENT_EVENTS Unknown_InIFRAME - In Referer
(current_events.rules)
  2017561 - ET MALWARE W32/Wajam.Adware Successful Install (malware.rules)
  2017788 - ET MOBILE_MALWARE Android.KorBanker Successful Fake
Banking App Install CnC Server Acknowledgement (mobile_malware.rules)
  2017880 - ET MALWARE W32/Linkular.Adware Successful Install Beacon
(malware.rules)
  2017935 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 12 SET (trojan.rules)
  2017936 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic
(OUTBOUND) 12 (trojan.rules)
  2018059 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 1 (trojan.rules)
  2018060 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 2 (trojan.rules)
  2018061 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 3 (trojan.rules)
  2018062 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 4 (trojan.rules)
  2018063 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 5 (trojan.rules)
  2018064 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 6 (trojan.rules)
  2018065 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 7 (trojan.rules)
  2018066 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 8 (trojan.rules)
  2018067 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 9 (trojan.rules)
  2018068 - ET TROJAN Possible KAPTOXA Encoded Data Transferred Over
SMB 10 (trojan.rules)
  2018129 - ET TROJAN W32/Trojan-Gypikon Sending Data (trojan.rules)
  2018130 - ET TROJAN W32/Trojan-Gypikon Server Check-in Response (trojan.rules)
  2018162 - ET CURRENT_EVENTS Malicious Redirect Evernote Spam
Campaign Feb 19 2014 (current_events.rules)
  2018283 - ET TROJAN Possible Netwire RAT Client HeartBeat C2 (trojan.rules)
  2018323 - ET MALWARE W32/Linkular.Adware Successful Install Beacon
(2) (malware.rules)
  2018345 - ET TROJAN W32/SpeedingUpMyPC.Rootkit Successful Install
GET Type CnC Beacon (trojan.rules)
  2804241 - ETPRO TROJAN Unknown Trojan Checkin id= mac= (trojan.rules)
  2804446 - ETPRO TROJAN Win32/Votead Checkin (trojan.rules)
  2806313 - ETPRO TROJAN Win32/Injector.AEDM Checkin (trojan.rules)
  2806880 - ETPRO TROJAN Suspicious HTTP Referer artifact.exe at drive
C (trojan.rules)

 [///]    Modified inactive rules:    [///]

  2010500 - ET MALWARE Executable purporting to be .txt file with no
Referer - Likely Malware (malware.rules)
  2010501 - ET MALWARE Executable purporting to be .cfg file with no
Referer - Likely Malware (malware.rules)

 [---]         Removed rules:         [---]

  2018020 - ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2 (trojan.rules)
  2018251 - ET TROJAN Havex Rat Check-in URI Struct (trojan.rules)
  2405089 - ET CNC Shadowserver Reported CnC Server Port 58914 Group 1
(botcc.portgrouped.rules)
  2806408 - ETPRO TROJAN Win32/Banload.AHA Sending SPAM (trojan.rules)
Paul Schmehl | 11 Apr 19:08 2014
Picon

Rule false positives - 2016921

For some reason this rule is being triggered when it shouldn't be:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO 
Suspicious Mozilla UA with no Space after colon"; 
flow:established,to_server; content:"User-Agent|3a|Mozilla"; http_header; 
nocase; fast_pattern:only; threshold: type limit,track by_src,count 
2,seconds 60; classtype:trojan-activity; sid:2016921; rev:4;)

Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 103.7.30.143
Pragma: no-cache

As you can see, there is a space after the colon.

--

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

Paul Schmehl | 11 Apr 19:04 2014
Picon

Request for rule change - 2011800

This rule is triggering due to a poorly designed Chinese app.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY 
Abnormal User-Agent No space after colon - Likely Hostile"; 
flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; 
content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; 
http_header; content:!"masterconn.qq.com"; http_header; 
content:!"Konfabulator"; http_header; classtype:trojan-activity; 
sid:2011800; rev:8;)

The app sends this UserAgent:

Host:c.pc.qq.com
Accept:*/*
User-Agent:Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)

I propose the following change to negate the QQPCMgr agent:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY 
Abnormal User-Agent No space after colon - Likely Hostile"; 
flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; 
content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; 
http_header; content:!"masterconn.qq.com"; http_header; 
content:!"Konfabulator"; http_header; content:!"QQPCMgr"; http_header; 
classtype:trojan-activity; sid:2011800; rev:9;)

--

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

Will Metcalf | 11 Apr 18:24 2014

Re: [Etpro-sigs] Daily Ruleset Update Summary 04/10/2014 Part 2

Hmmm can you show the rule as you have it? This seems to load just fine into snort. Are you sure you don't have an extra line feed or something there?

Regards,

Will


On Fri, Apr 11, 2014 at 10:08 AM, Williams, Andrew N. <ANDREW.N.WILLIAMS-taCtA1Gr/WzQT0dZR+AlfA@public.gmane.org> wrote:

I continually get an error when trying to import to SF running 4.10.3.7: “Error (line 3): alert tcp $HOME_NET any - ... Rule Parse Error : Invalid rule message”

 

Looks as if there is an issue with the second rule? I can’t spot it.

 

I was able to import the first rule, 2018382 with no issues.

 

v/r,

 

Andrew N Williams, CISSP

Network Security Engineer

Leidos Threat and Security Operations Services

Phone 832-629-6821

andrew.n.williams-taCtA1Gr/WzQT0dZR+AlfA@public.gmane.org

 

From: etpro-sigs-bounces-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org [mailto:etpro-sigs-bounces-QLpEr2logwxONy2houXFdO9NwHtMwxe5XqFh9Ls21Oc@public.gmane.org] On Behalf Of Will Metcalf
Sent: Friday, April 11, 2014 12:34 AM
To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List
Subject: [Etpro-sigs] Daily Ruleset Update Summary 04/10/2014 Part 2

 

We were missing some HeartBleed attacks due to non heartbeat records perpended to the heartbeat record as observed in masscan. These rules are port limited, so adjust as necessary for your environment. Interestingly Even though OpenSSL seems to leak up to 65k bytes the advertised length for the response tries to remain within RFC at 2^14 bytes so we check for this as well to reduce FP's.



 [+++]          Added rules:          [+++]

  2018382 - ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server) (current_events.rules)
  2018383 - ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client) (current_events.rules)


<div>
<div dir="ltr">Hmmm can you show the rule as you have it? This seems to load just fine into snort. Are you sure you don't have an extra line feed or something there?<br><br>Regards,<br><br>Will<br>
</div>
<div class="gmail_extra">
<br><br><div class="gmail_quote">On Fri, Apr 11, 2014 at 10:08 AM, Williams, Andrew N. <span dir="ltr">&lt;<a href="mailto:ANDREW.N.WILLIAMS <at> leidos.com" target="_blank">ANDREW.N.WILLIAMS@...</a>&gt;</span> wrote:<br><blockquote class="gmail_quote">

<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span>I continually get an error when trying to import to SF running <a href="http://4.10.3.7" target="_blank">4.10.3.7</a>: &ldquo;Error (line 3): alert tcp $HOME_NET any - ... Rule Parse Error : Invalid rule message&rdquo;</span></p>

<p class="MsoNormal"><span>&nbsp;</span></p>
<p class="MsoNormal"><span>Looks as if there is an issue with the second rule? I can&rsquo;t spot it.</span></p>
<p class="MsoNormal"><span>&nbsp;</span></p>
<p class="MsoNormal"><span>I was able to import the first rule, 2018382 with no issues.</span></p>
<p class="MsoNormal"><span>&nbsp;</span></p>
<p class="MsoNormal"><span>v/r,</span></p>
<p class="MsoNormal"><span>&nbsp;</span></p>
<p class="MsoNormal"><span>Andrew N Williams, CISSP</span></p>
<p class="MsoNormal"><span>Network Security Engineer</span></p>
<p class="MsoNormal"><span>Leidos Threat and Security Operations</span><span> Services
</span></p>
<p class="MsoNormal"><span>Phone <a href="tel:832-629-6821" value="+18326296821" target="_blank">832-629-6821</a></span></p>

<p class="MsoNormal"><span><a href="mailto:andrew.n.williams@..." target="_blank"><span>andrew.n.williams@...</span></a></span><span></span></p>

<p class="MsoNormal"><span>&nbsp;</span></p>
<p class="MsoNormal"><span>From:</span><span> <a href="mailto:etpro-sigs-bounces@..." target="_blank">etpro-sigs-bounces@...</a> [mailto:<a href="mailto:etpro-sigs-bounces@..." target="_blank">etpro-sigs-bounces@...</a>]
On Behalf Of Will Metcalf<br>Sent: Friday, April 11, 2014 12:34 AM<br>To: Emerging Sigs; Emerging-updates redirect; ETPro-sigs List<br>Subject: [Etpro-sigs] Daily Ruleset Update Summary 04/10/2014 Part 2</span></p>
<div><div class="h5">
<p class="MsoNormal">&nbsp;</p>
<div>
<p class="MsoNormal">We were missing some HeartBleed attacks due to non heartbeat records perpended to the heartbeat record as observed in masscan. These rules are port limited, so adjust as necessary for your environment. Interestingly Even though OpenSSL
 seems to leak up to 65k bytes the advertised length for the response tries to remain within RFC at 2^14 bytes so we check for this as well to reduce FP's.
</p>
<div>
<p class="MsoNormal"><br><br>
&nbsp;[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]<br><br>
&nbsp; 2018382 - ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server) (current_events.rules)<br>
&nbsp; 2018383 - ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client) (current_events.rules)</p>
</div>
</div>
</div></div>
</div>
</div>

</blockquote>
</div>
<br>
</div>
</div>

Gmane