Francis Trudeau | 1 Oct 22:55 2014
Picon

Daily Ruleset Update Summary 10/01/2014

 [***] Summary: [***]

 10 new Open signatures, 15 new Pro (10 + 5).  Abuse.ch SSL blacklist,
iOS/Xsser, Trojan/Banker.Agent.bof, Win32.Slenfbot.

 Thanks:  Patrick Olsen, Jake Warren, James Lay, Stephane Chazelas,
 <at> abuse_ch,  <at> jaimeblascob and  <at> rmkml.

 [+++]          Added rules:          [+++]

 Open:

  2019326 - ET TROJAN Likely Bot Nick in IRC (Country Code ISO 3166-1
alpha-2 (trojan.rules)
  2019327 - ET TROJAN Likely Bot Nick in IRC (Country Code ISO 3166-1
alpha-3 (trojan.rules)
  2019328 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019329 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (KINS C2) (trojan.rules)
  2019330 - ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate
detected (UPATRE CnC) (trojan.rules)
  2019331 - ET MOBILE_MALWARE iOS/Xsser Checkin (mobile_malware.rules)
  2019332 - ET MOBILE_MALWARE iOS/Xsser sending GPS info (mobile_malware.rules)
  2019333 - ET MOBILE_MALWARE iOS/Xsser sending files (mobile_malware.rules)
  2019334 - ET MOBILE_MALWARE iOS/Xsser checking library version
(mobile_malware.rules)
  2019335 - ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt (exploit.rules)

 Pro:
(Continue reading)

Russell Fulton | 1 Oct 21:52 2014
Picon
Picon

Re: rule syntax problem


On 2/10/2014, at 2:04 am, Pedro Marinho <pppmarinho@...> wrote:

> 
> Example of what that pcre will match
> 
> pcretest
> PCRE version 8.12 2011-01-15
> 
>   re> /[^\r\n]{0,7}[A-Z]{2,3}/

Oh, I see the problem — it took a while — I must be getting old!

You have to account for the fact that the match can be within the first 9 chars which makes the re messy in the extreme.

I may just add some local rules for a couple of UK and NZ.

Russell

Jake Warren | 1 Oct 21:50 2014

Pure-FTPd CVE-2014-6271

Here's a sig for a CVE-2014-6271 attempt against Pure-FTPd with a external authentication handler:

alert tcp any any -> $HOME_NET 21 (msg:"Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern:only; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:xxxx; rev:1;)

-Jake Warren
<div><div dir="ltr">Here's a sig for a CVE-2014-6271 attempt against Pure-FTPd with a external authentication handler:<br><div>
<div><div dir="ltr">
<div>
<br>alert tcp any any -&gt; $HOME_NET 21 (msg:"Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern:only; reference:url,<a href="http://gist.github.com/jedisct1/88c62ee34e6fa92c31dc" target="_blank">gist.github.com/jedisct1/88c62ee34e6fa92c31dc</a>; reference:cve,2014-6271; classtype:attempted-admin; sid:xxxx; rev:1;)<br><br>
</div>
<div>-Jake Warren<br>
</div>
</div></div>
</div>
</div></div>
Nathan | 1 Oct 20:33 2014
Picon

F5 iRule for ShellShock CVE-2014-6271 & CVE-2014-7169

This iRule also covers CVE-2014-7169.  Sharing on the list with permission from
Will Metcalf to help as many people as I can (some organizations on this list
use F5).  TLP GREEN on the iRule, use it as needed.

# iRule: NCF_ShellShock_CVE-2014-6271
# Nathan Fowler
# Tue Sep 30 2014
#
# iRule to stop traffic that exhibits the conditions seen in CVE-2014-6271 and
CVE-2014-7169, validation against Emerging-Threats comprehensive coverage of
CVE-2014-6271
# https://devcentral.f5.com/articles/shellshock-mitigation-with-big-ip-irules
is NOT comprehensive and is easily evaded.
#
# Assumptions - We will not inspect HTTP POST at this time due to overhead and
the fact that HTTP POST exploiting CVE-2014-6271 has not been observed in the
wild yet.
#
# Changelog:
#    Tue Sep 30 2014 10:35:00 CDT - Initial Development
#    Wed Oct 01 2014 11:57:00 CDT - Correct issue with not inspecting the HTTP
Header values (was previously inspecting the HTTP Header names only)
#    Wed Oct 01 2014 13:07:00 CDT - Don't require the \x20 trailing space, in
conversations with ET crew and Jorgen, \x09 can be used as well.

when HTTP_REQUEST {
    #HTTP URI and HTTP Method
    if { ( [URI::decode [HTTP::uri]] contains "\x28\x29\x20\x7b" ||
[URI::decode [HTTP::method]] contains "\x28\x29\x20\x7b" ) }{
        if { ( [URI::decode [HTTP::uri]] matches_regex
{[^\n]*\x28\x29\x20\x7b\s[^\n]*} || [URI::decode [HTTP::method]] matches_regex
{[^\n]*\x28\x29\x20\x7b\s[^\n]*} ) }{
            log local0. "Attempted CVE-2014-6271/CVE-2014-7169 BASH ShellShock
Exploitation Attempt to [HTTP::host] from [IP::client_addr]"
            HTTP::respond 403 "Invalid Request"
            return
        }
    }

    #HTTP Headers
    foreach header_name [HTTP::header names] {
        foreach header_value [HTTP::header values $header_name] {
            if { ( [URI::decode $header_name] contains "\x28\x29\x20\x7b" ||
[URI::decode $header_value] contains "\x28\x29\x20\x7b" ) }{
                   if { ( [URI::decode $header_name] matches_regex
{[^\n]*\x28\x29\x20\x7b\s[^\n]*} || [URI::decode $header_value] matches_regex
{[^\n]*\x28\x29\x20\x7b\s[^\n]*} ) }{
                    log local0. "Attempted CVE-2014-6271/CVE-2014-7169 BASH
ShellShock Exploitation Attempt to [HTTP::host] from [IP::client_addr]"
                    HTTP::respond 403 "Invalid Request"
                    return
                }
            }
        }
    }
}
James Lay | 1 Oct 18:58 2014
Picon

Rule 2018465

Any reason this doesn't have a distance either?

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN 
Possible Backdoor.Adwind Download 2"; flow:established,from_server; 
flowbits:isset,ET.http.javaclient; file_data; content:"Adwin"; nocase; 
pcre:"/^[a-z0-9_-]*?\.class/Rsi";

reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; 
reference:url,www.crowdstrike.com/blog/adwind-rat-rebranding/index.html; 
classtype:trojan-activity; sid:2018465; rev:4;)

This is about 700 bytes in:

000F596D  6f 77 6e 6c 6f 61 64 2f  0a 0a 44 6f 77 6e 6c 6f ownload/ 
..Downlo
000F597D  61 64 57 69 6e 64 6f 77  2e 63 6c 61 73 73 a5 57 adWindow 
.class.W
000F598D  69 77 14 45 14 bd 45 26  e9 a4 69 15 90 44 40 c4 iw.E..E& 
..i..D <at> .
000F599D  15 48 26 c8 b8 26 c8 aa  49 40 82 41 62 82 d1 00 .H&..&.. 
I <at> .Ab...
000F59AD  2e 9d e9 4a 52 d8 d3 1d  7b 3a 09 c1 7d df f7 7d ...JR... 
{:..}..}

Maybe case sensitive the Adwin.

James
Matt Jonkman | 1 Oct 17:29 2014
Picon

Suricata Training Announced for Deepsec

Follow-on from announcements earlier this week, we also have a session in Vienna at Deepsec. Great conference if you haven't been, and a great city to visit!

*DeepSec - Vienna, November 18 and 19: 2 day training event*

This training session will take place on November 18 and 19 at the DeepSec conference. It will be given by Victor Julien, Eric Leblond, Peter Manev and Matt Jonkman.

The event is part of the DeepSec conference, so registrations/bookings go through: https://deepsec.net/register.html

See also http://blog.deepsec.net/?p=1893

We're also preparing US east coast and west coast events, we'll send out announcements for those shortly. Keep an eye on
http://suricata-ids.org/training/

--

----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x7110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
<div><div dir="ltr">Follow-on from announcements earlier this week, we also have a session in Vienna at Deepsec. Great conference if you haven't been, and a great city to visit!<br><span><br><span>*DeepSec - Vienna,&nbsp;</span><span class="" tabindex="0"><span class="">November 18 and 19</span></span><span>: 2 day&nbsp;</span><span class="">training</span><span>&nbsp;event*</span><br><br><span>This&nbsp;</span><span class="">training</span><span>&nbsp;session will take place on&nbsp;</span><span class="" tabindex="0"><span class="">November 18 and 19</span></span><span>&nbsp;at the&nbsp;</span><span>DeepSec conference. It will be given by Victor Julien, Eric Leblond,&nbsp;</span><span>Peter Manev and Matt Jonkman.</span><br><br><span>The event is part of the DeepSec conference, so registrations/bookings&nbsp;</span><span>go through:&nbsp;</span><a href="https://deepsec.net/register.html" target="_blank">https://deepsec.net/register.html</a><br><br><span>See also&nbsp;</span><a href="http://blog.deepsec.net/?p=1893" target="_blank">http://blog.deepsec.net/?p=1893</a></span><div><br></div>
<div>
<span>We're also preparing US east coast and west coast events, we'll send out&nbsp;</span><span>announcements for those shortly. Keep an eye on</span><br><a href="http://suricata-ids.org/training/" target="_blank">http://<span class="">suricata</span>-ids.org/<span class="">training</span>/</a><br clear="all"><div><span><br></span></div>
<span>-- <br></span><div dir="ltr">
<br>----------------------------------------------------<br>Matt Jonkman<br>Emerging Threats Pro<br>Open Information Security Foundation (OISF)<br>Phone 866-504-2523 x7110<br><a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br><a href="http://www.openinfosecfoundation.org" target="_blank">http://www.openinfosecfoundation.org</a><br>----------------------------------------------------</div>
</div>
</div></div>
Will Metcalf | 1 Oct 16:55 2014
Picon

Re: Bash 0-day

Not in headers. In other buffers. URI etc. I'm trimming headers match to be as you suggested. 

Regards,

Will

> On Oct 1, 2014, at 9:36 AM, Stephane Chazelas
<stephane.chazelas@...> wrote:
> 
> 2014-10-01 09:13:07 -0500, Will Metcalf:
>>> Note that it's not only HTTP headers. The SERVER_PROTOCOL is
>>> also a vector in Apache (GET / () {...). The HTTP method could
>> 
>> 2019236 attempts to deal with this.
>> 
>>> You don't want to check for the space after "{". It works with a
>>> tab as well (09) and possibly other characters depending on the
>>> server's locale. bash needs a variable that starts with "() {".
>> 
>> Will have a look thanks. Wonder if we can do anchored \s*? for some buffers
>> this was a big difference between FP's and no FP's.
> [...]
> 
> What kind of FP has "() {" in the HTTP headers!? User Agents?
> For Apache, if you look for "() {" in the first 3 words (words
> being \s+ separated \S+es), that may be enough but don't take my
> word for it. That may let through attacks using non-Apache
> vectors though.
> 
> -- 
> Stephane
Patrick Olsen | 1 Oct 15:01 2014

Xsser mRAT for iOS

I don't have PCAPs for this, but just taking a stab at it and writing a couple rules based on the web content.

alert tcp any any -> any any (msg:"ET MOBILE_MALWARE mRat for iOS"; flow:to_server,established; content:"GET"; http_method; content:"/CheckLibrary.aspx"; http_uri; content:"User-Agent: xsser.0day"; fast_pattern; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan; classtype:trojan-activity; sid:xxxxxxx; rev:1;)

alert tcp any any -> any any (msg:"ET MOBILE_MALWARE mRat for iOS CnC Beacon"; flow:to_server,established; content:"POST"; http_method; content:"/TargetUploadFile.aspx?tmac="; http_uri; fast_pattern; content:"0day"; reference:url,lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan; classtype:trojan-activity; sid:xxxxxxx; rev:1;)
<div><div dir="ltr">
<div>I don't have PCAPs for this, but just taking a stab at it and writing a couple rules based on the web content.</div>
<div><br></div>
<div>
<div>alert tcp any any -&gt; any any (msg:"ET MOBILE_MALWARE mRat for iOS"; flow:to_server,established; content:"GET"; http_method; content:"/CheckLibrary.aspx"; http_uri; content:"User-Agent: xsser.0day"; fast_pattern; reference:url,<a href="http://lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan">lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan</a>; classtype:trojan-activity; sid:xxxxxxx; rev:1;)</div>
<div><br></div>
<div>alert tcp any any -&gt; any any (msg:"ET MOBILE_MALWARE mRat for iOS CnC Beacon"; flow:to_server,established; content:"POST"; http_method; content:"/TargetUploadFile.aspx?tmac="; http_uri; fast_pattern; content:"0day"; reference:url,<a href="http://lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan">lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan</a>; classtype:trojan-activity; sid:xxxxxxx; rev:1;)</div>
</div>
</div></div>
Russell Fulton | 30 Sep 23:49 2014
Picon
Picon

rule syntax problem

HI

I want to modify this rule for local usage (basically swapping RE for “USA" ;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)";
flow:established,to_server; content:"NICK "; depth:5; content: “USA”; within:10;
reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:5;)

I want to replace content: “USA”;
with something like pcre /[A-Z]{2,3}/

If I do so I get an error on the within clause which I take to mean that I can’t use it with a pcre.  Anyone have
any suggestions on how to generalise this rule.

BTW I don’t want to just replace USA with NZ since then I won’t pick up laptops that have been infect in the
US and then brought home.

Russell
Francis Trudeau | 30 Sep 23:09 2014
Picon

Daily Ruleset Update Summary 09/30/2014

 [***] Summary: [***]

 8 new Open signatures, 14 new Pro (8+6).  Dyre, CVE-2014-6271,
Flashpack, Bredolap/Rebhip/Bifrose, Win32.TrojanDropper.

 Thanks:   <at> EKwatcher and  <at> kafeine.

 [+++]          Added rules:          [+++]

 Open:

  2019318 - ET MOBILE_MALWARE Android/Code4hk.A Checkin (mobile_malware.rules)
  2019319 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014
(current_events.rules)
  2019320 - ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014
(current_events.rules)
  2019321 - ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST
(current_events.rules)
  2019322 - ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt (exploit.rules)
  2019323 - ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt (exploit.rules)
  2019324 - ET CURRENT_EVENTS suspicious embedded zip file in web page
(current_events.rules)
  2019325 - ET CURRENT_EVENTS Flashpack Redirect Method 3 (current_events.rules)

 Pro:

  2808915 - ETPRO TROJAN Trojan.FakeAlert.CAF Checkin (trojan.rules)
  2808916 - ETPRO TROJAN Bredolap/Rebhip/Bifrose Checkin 2 (trojan.rules)
  2808918 - ETPRO MOBILE_MALWARE Android/SMSreg.BI Checkin
(mobile_malware.rules)
  2808920 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.mj Checkin
(mobile_malware.rules)
  2808921 - ETPRO TROJAN DDoS.XOR Checkin (trojan.rules)
  2808922 - ETPRO TROJAN Win32.TrojanDropper.Startpage.klpp Checkin
(trojan.rules)

 [///]     Modified active rules:     [///]

  2003437 - ET P2P Ares over UDP (p2p.rules)
  2019134 - ET CURRENT_EVENTS Flashpack Redirect Method 2 (current_events.rules)
  2808536 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Recal.a Checkin
(mobile_malware.rules)
  2808800 - ETPRO TROJAN Win32.Llac.bbeh downloading files (trojan.rules)

 [---]         Removed rules:         [---]

  2007975 - ET TROJAN Common Downloader Trojan Checkin (trojan.rules)
  2008344 - ET TROJAN Suspicious User-Agent (DownloadNetFile) (trojan.rules)
James Lay | 30 Sep 21:13 2014
Picon

Rule 2000418

Any reason distance wasn't specified with this rule?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY Executable 
and linking format (ELF) file download"; flow:established; 
content:"|7F|ELF"; fast_pattern:only; content:"|00 00 00 00 00 00 00 
00|"; flowbits:set,ET.ELFDownload; 
reference:url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm; 
reference:url,doc.emergingthreats.net/bin/view/Main/2000418; 
classtype:policy-violation; sid:2000418; rev:13;)

This matches at almost the end of a 1500 size packet:

[ 1024] 2D 23 D8 B5 36 B2 B0 D6 19 C4 35 4E 65 4D 23 C5  
-#..6.....5NeM#.
[ 1040] 39 57 AC 15 73 C9 37 DD 47 86 B2 6E AB B8 DE 13  
9W..s.7.G..n....
[ 1056] 4B 74 B7 E6 92 D7 F9 9F DC FC AB 3F 5F 1D F4 CD  
Kt.........?_...
[ 1072] E9 46 E7 EA FF 01 83 57 69 B3 03 5F 06 47 CA C8  
.F.....Wi.._.G..
[ 1088] 66 07 A8 9C E6 61 96 AD EE 53 35 15 79 5A E6 54  
f....a...S5.yZ.T
[ 1104] 3D A8 50 32 CE 8C 06 9B 73 F2 43 D2 BA DC F5 9B  
=.P2....s.C.....
[ 1120] 23 E4 B5 36 B9 E3 3C 86 A3 69 B4 A9 AC E4 61 38  
#..6..<..i....a8
[ 1136] 00 00 01 08 08 00 01 19 10 F7 38 00 00 00 00 AF  
..........8.....
[ 1152] 01 21 4A FE FF F3 50 A4 B9 93 65 CA A3 2E 2A 8E  
.!J...P...e...*.
[ 1168] B8 AD 0A DC 5D 93 53 31 FB 9C EE FB AC F1 32 AD  
....].S1......2.
[ 1184] 79 1A 02 44 12 2B C6 E4 2F 05 6B A6 CD 4F C4 C5  
y..D.+../.k..O..
[ 1200] 28 49 9B 53 A6 F9 5F B8 10 03 5B 43 95 DD FF 4F  
(I.S.._...[C...O
[ 1216] F9 40 0C F4 FB 5F 3E EE 9F 7F 00 00 00 00 00 00  
. <at> ..._>.........
[ 1232] 00 00 00 00 10 A3 47 59 4E B9 97 08 09 AB CB 60  
......GYN......`
[ 1248] 24 44 00 15 06 97 05 5A 5E F6 A4 40 00 0B 09 35  
$D.....Z^.. <at> ...5
[ 1264] BF BB 18 00 00 48 00 00 C3 8A EB 11 1F C3 3A 84  
.....H........:.
[ 1280] 4B 14 06 C1 C8 3B A4 94 37 32 58 A9 12 69 77 AD  
K....;..72X..iw.
[ 1296] CD 5B A1 D9 EA 7A D2 36 55 34 B0 72 FB 3E C7 5D  
.[...z.6U4.r.>.]
[ 1312] FE 5A FE F5 43 5B DB 44 A2 C7 7E 9D 75 F7 A5 23  
.Z..C[.D..~.u..#
[ 1328] 8D A3 A6 0B D3 0E 33 9C 14 AF B2 5A BB C1 DF AE  
......3....Z....
[ 1344] B2 53 C9 CD 28 5D 7F 65 4C 46 78 65 78 15 A1 73  
.S..(].eLFxex..s
[ 1360] E9 BF 72 02 80 04 10 A5 C0 89 80 02 C4 29 56 1A  
..r..........)V.

Per https://en.wikipedia.org/wiki/Executable_and_Linkable_Format I'm 
betting setting distance:64; could cover this.

James

Gmane