Rodrigo Montoro(Sp0oKeR | 25 Feb 02:32 2012
Picon

Re: .ch.vu sigs

Since only one content you dont need fast pattern.

2012/2/24, harry.tuttle <harry.tuttle <at> zoho.com>:
> Not sure exactly, but what you say makes sense. I was just doing a cut and
> paste job without honestly paying much attention.
>
> There are a lot of similar rules both with and without the "only" in the
> rule set.
>
> Regards,
> Harry
>
>
> ---- On Fri, 24 Feb 2012 11:48:09 -0800 Edward Fjellskål  wrote ----
>
>>On 02/24/2012 08:40 PM, harry.tuttle wrote:
>>> content:".ch.vu|0D 0A|"; fast_pattern:only; http_header;
>>
>>Does that make sense ?
>>
>>"The optional argument _only_ can be used to specify that the content
>>should only be used for the fast pattern matcher
>>and should not be evaluated as a rule option." - Snort doc
>>
>>fast_pattern looks in the whole payload, therefor http_header;
>>would not make sense?
>>
>>suggest changing to:
>>content:".ch.vu|0D 0A|"; fast_pattern; http_header;
>>
(Continue reading)

Picon

RE : Re: RE : Re: Sig idea - try2check.me

Thx Elhoim,

Check again copy/paste tcp flow please and reference url...

Another idea: add byte_test !& 128  for detect dns request ...

If (only) stream5 udp are enabled : Adding on udp rule, flow to_server...
Best Regards
Rmkml



-------- Original message -------- Subject: Re: RE : Re: [Emerging-Sigs] Sig idea - try2check.me From: DA To: rmkml <at> yahoo.fr,jonkman <at> gmail.com,Emerging-sigs <at> emergingthreats.net CC:

Hi

I indeed borked my copy/paste kung-fu.. :)

alert udp any any -> any 53 (msg:"try2check.me Carding Checker Site DNS
Connection"; content:"|09|try2check|02|me|00|"; nocase;
classtype:bad-unknown; sid:5000001;
ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
rev:2;)
alert tcp any any -> any 53 (msg:"try2check.me Carding Checker Site DNS
Connection"; content:"|09|try2check|02|me|00|"; nocase;
flow:established,to_/server/; classtype:bad-unknown; sid:5000002;
ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
rev:2;)

Regards,
elhoim

On 24/02/12 18:56, rmkml <at> yahoo.fr wrote:
> Hi Elhoim,
> Nice rules,
> But Im curious why the second content (0x09) please ?
> Maybe add flow to_server ?
> Maybe nocase are on wrong place ?
> Best Regards
> Rmkml
>
>
>
> -------- Original message -------- Subject: Re: [Emerging-Sigs] Sig
> idea - try2check.me From: Matthew Jonkman To: elhoim <at> gmail.com CC:
> Emerging-sigs <at> emergingthreats.net
>
> Nice, thanks AD.
>
> ANyone have a few minutes to pull the ssl cert from a few hits and see
> if it's consistent? We could sig that as well.
>
> Matt
>
>
> On Feb 24, 2012, at 4:13 AM, AD wrote:
>
> > It is a credit card checker for the carders.
> > They are security conscious, and use a unique hostname & port per
> > client, and https.
> >
> > According to the article they are quite popular in the underground.
> >
> > And thus, here is a little sig to find if some of your users are using
> > that site:
> >
> > alert udp any any -> any 53 (msg: " |09|try2check|02|me|00|";
> > content:"|09|"; nocase; classtype:bad-unknown; sid:5000001;
> >
> ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
> > rev:1;)
> > alert tcp any any -> any 53 (msg: " |09|try2check|02|me|00|";
> > content:"|09|"; nocase; classtype:bad-unknown; sid:5000002;
> >
> ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
> > rev:1;)
> >
> >
> > References
> > in french -
> https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort
>

<div>Thx Elhoim,<div><br></div>
<div>Check again copy/paste tcp flow please and reference url...</div>
<div><br></div>
<div>Another idea: add byte_test !&amp; 128 &nbsp;for detect dns request ...</div>
<div><br></div>
<div>If (only) stream5 udp are enabled : Adding on udp rule, flow to_server...</div>
<div>Best Regards</div>
<div>Rmkml</div>
<div><br></div>
<br><br><p>

-------- Original message --------
Subject: Re: RE : Re: [Emerging-Sigs] Sig idea - try2check.me 
From: DA  
To: rmkml <at> yahoo.fr,jonkman <at> gmail.com,Emerging-sigs <at> emergingthreats.net 
CC:  

<br><br><div>Hi<br><br>I indeed borked my copy/paste kung-fu.. :)<br><br>alert udp any any -&gt; any 53 (msg:"try2check.me Carding Checker Site DNS<br>Connection"; content:"|09|try2check|02|me|00|"; nocase;<br>classtype:bad-unknown; sid:5000001;<br>ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";<br>rev:2;)<br>alert tcp any any -&gt; any 53 (msg:"try2check.me Carding Checker Site DNS<br>Connection"; content:"|09|try2check|02|me|00|"; nocase;<br> flow:established,to_/server/; classtype:bad-unknown; sid:5000002;<br>ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";<br>rev:2;)<br><br>Regards,<br>elhoim<br><br>On 24/02/12 18:56, rmkml <at> yahoo.fr wrote:<br>&gt; Hi Elhoim,<br>&gt; Nice rules,<br>&gt; But Im curious why the second content (0x09) please ?<br>&gt; Maybe add flow to_server ?<br>&gt; Maybe nocase are on wrong place ?<br>&gt; Best Regards<br>&gt; Rmkml<br>&gt;<br>&gt;<br>&gt;<br>&gt; -------- Original message -------- Subject: Re: [Emerging-Sigs] Sig<br>&gt; idea - try2check.me From: Matthew Jonkman To: elhoim <at> gmail.com CC:<br>&gt; Emerging-sigs <at> emergingthreats.net<br>&gt;<br>&gt; Nice, thanks AD.<br>&gt;<br>&gt; ANyone have a few minutes to pull the ssl cert from a few hits and see<br>&gt; if it's consistent? We could sig that as well.<br>&gt;<br>&gt; Matt<br>&gt;<br>&gt;<br>&gt; On Feb 24, 2012, at 4:13 AM, AD wrote:<br>&gt;<br>&gt; &gt; It is a credit card checker for the carders.<br>&gt; &gt; They are security conscious, and use a unique hostname &amp; port per<br>&gt; &gt; client, and https.<br>&gt; &gt;<br>&gt; &gt; According to the article they are quite popular in the underground.<br>&gt; &gt;<br>&gt; &gt; And thus, here is a little sig to find if some of your users are using<br>&gt; &gt; that site:<br>&gt; &gt;<br>&gt; &gt; alert udp any any -&gt; any 53 (msg: " |09|try2check|02|me|00|";<br>&gt; &gt; content:"|09|"; nocase; classtype:bad-unknown; sid:5000001;<br>&gt; &gt;<br>&gt; ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";<br>&gt; &gt; rev:1;)<br>&gt; &gt; alert tcp any any -&gt; any 53 (msg: " |09|try2check|02|me|00|";<br>&gt; &gt; content:"|09|"; nocase; classtype:bad-unknown; sid:5000002;<br>&gt; &gt;<br>&gt; ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";<br>&gt; &gt; rev:1;)<br>&gt; &gt;<br>&gt; &gt;<br>&gt; &gt; References<br>&gt; &gt; in french -<br>&gt; https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort<br>&gt;<br><br>
</div> </p>
</div>
AD | 25 Feb 10:21 2012
Picon

Re: RE : Re: RE : Re: Sig idea - try2check.me

Better?

alert udp any any -> $EXTERNAL_NET 53 (msg:"try2check.me Carding
Checker Site DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|";
depth:10; offset:2;  content:"|09|try2check|02|me|00|"; fast_pattern;
nocase; distance:0; classtype:bad-unknown; sid:5000001;
reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort;
rev:3;)

alert tcp any any -> $EXTERNAL_NET 53 (msg:"try2check.me Carding
Checker Site DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|";
depth:10; offset:2; content:"|09|try2check|02|me|00|"; fast_pattern;
nocase; distance:0; flow:established,to_/server/;
classtype:bad-unknown; sid:5000002;
reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort;
rev:3;)

On Sat, Feb 25, 2012 at 08:00, rmkml@...
<rmkml@...> wrote:
> alert udp any any -> any 53 (msg:"try2check.me Carding Checker Site DNS
> Connection"; content:"|09|try2check|02|me|00|"; nocase;
>
> classtype:bad-unknown; sid:5000001;
> ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
> rev:2;)
> alert tcp any any -> any 53 (msg:"try2check.me Carding Checker Site DNS
> Connection"; content:"|09|try2check|02|me|00|"; nocase;
> flow:established,to_/server/; classtype:bad-unknown; sid:5000002;
> ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
>
> rev:2;)
AD | 25 Feb 10:41 2012
Picon

EvilGrade upgrades - script to create rules

I stumbled upon this today:
http://www.deadshell.org/2011/12/snort-rules-for-evilgrade.html

Made me thinkg about creating rules for unsecure update mechanisms and/or policy
What do you think?

Regards,
elhoim
Picon

RE : Re: RE : Re: RE : Re: Sig idea - try2check.me

Yes it's better,
But new first content it's very fast but possible FN because many other dns flags exist... I prefer byte_test previously proposed ...
Warn: dns over tcp are not same offset than udp...
And test these rules with dig/host/nslookup dns client...
Best Regards
Rmkml



-------- Original message -------- Subject: Re: RE : Re: RE : Re: [Emerging-Sigs] Sig idea - try2check.me From: AD To: rmkml <at> yahoo.fr CC: jonkman <at> gmail.com,emerging-sigs <at> emergingthreats.net

Better?

alert udp any any -> $EXTERNAL_NET 53 (msg:"try2check.me Carding
Checker Site DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|";
depth:10; offset:2;  content:"|09|try2check|02|me|00|"; fast_pattern;
nocase; distance:0; classtype:bad-unknown; sid:5000001;
reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort;
rev:3;)

alert tcp any any -> $EXTERNAL_NET 53 (msg:"try2check.me Carding
Checker Site DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|";
depth:10; offset:2; content:"|09|try2check|02|me|00|"; fast_pattern;
nocase; distance:0; flow:established,to_/server/;
classtype:bad-unknown; sid:5000002;
reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort;
rev:3;)

On Sat, Feb 25, 2012 at 08:00, rmkml <at> yahoo.fr <rmkml <at> yahoo.fr> wrote:
> alert udp any any -> any 53 (msg:"try2check.me Carding Checker Site DNS
> Connection"; content:"|09|try2check|02|me|00|"; nocase;
>
> classtype:bad-unknown; sid:5000001;
> ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
> rev:2;)
> alert tcp any any -> any 53 (msg:"try2check.me Carding Checker Site DNS
> Connection"; content:"|09|try2check|02|me|00|"; nocase;
> flow:established,to_/server/; classtype:bad-unknown; sid:5000002;
> ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";
>
> rev:2;)

<div>Yes it's better,<div>But new first content it's very fast but possible FN because many other dns flags exist... I prefer byte_test previously proposed ...</div>
<div>Warn: dns over tcp are not same offset than udp...</div>
<div>And test these rules with dig/host/nslookup dns client...</div>
<div>Best Regards</div>
<div>Rmkml</div>
<div><br></div>
<br><br><p>

-------- Original message --------
Subject: Re: RE : Re: RE : Re: [Emerging-Sigs] Sig idea - try2check.me 
From: AD  
To: rmkml <at> yahoo.fr 
CC: jonkman <at> gmail.com,emerging-sigs <at> emergingthreats.net 

<br><br><div>Better?<br><br>alert udp any any -&gt; $EXTERNAL_NET 53 (msg:"try2check.me Carding<br>Checker Site DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|";<br>depth:10; offset:2;&nbsp; content:"|09|try2check|02|me|00|"; fast_pattern;<br>nocase; distance:0; classtype:bad-unknown; sid:5000001;<br>reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort;<br>rev:3;)<br><br>alert tcp any any -&gt; $EXTERNAL_NET 53 (msg:"try2check.me Carding<br>Checker Site DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|";<br>depth:10; offset:2; content:"|09|try2check|02|me|00|"; fast_pattern;<br>nocase; distance:0; flow:established,to_/server/;<br>classtype:bad-unknown; sid:5000002;<br>reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort;<br>rev:3;)<br><br>On Sat, Feb 25, 2012 at 08:00, rmkml <at> yahoo.fr &lt;rmkml <at> yahoo.fr&gt; wrote:<br>&gt; alert udp any any -&gt; any 53 (msg:"try2check.me Carding Checker Site DNS<br>&gt; Connection"; content:"|09|try2check|02|me|00|"; nocase;<br>&gt;<br>&gt; classtype:bad-unknown; sid:5000001;<br>&gt; ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";<br>&gt; rev:2;)<br>&gt; alert tcp any any -&gt; any 53 (msg:"try2check.me Carding Checker Site DNS<br>&gt; Connection"; content:"|09|try2check|02|me|00|"; nocase;<br>&gt; flow:established,to_/server/; classtype:bad-unknown; sid:5000002;<br>&gt; ref:"https://cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort";<br>&gt;<br>&gt; rev:2;)<br>
</div> </p>
</div>
Joel Esler | 25 Feb 22:34 2012

Re: .ch.vu sigs

Only is almost a keyword in and of itself.  You should only use "only" if you know what you are doing.  

On Feb 24, 2012, at 3:10 PM, harry.tuttle wrote:

> Not sure exactly, but what you say makes sense. I was just doing a cut and paste job without honestly paying
much attention.
> 
> There are a lot of similar rules both with and without the "only" in the rule set.
> 
> Regards,
> Harry
> 
> 
> ---- On Fri, 24 Feb 2012 11:48:09 -0800 Edward Fjellskål  wrote ---- 
> 
>> On 02/24/2012 08:40 PM, harry.tuttle wrote: 
>>> content:".ch.vu|0D 0A|"; fast_pattern:only; http_header; 
>> 
>> Does that make sense ? 
>> 
>> "The optional argument _only_ can be used to specify that the content 
>> should only be used for the fast pattern matcher 
>> and should not be evaluated as a rule option." - Snort doc 
>> 
>> fast_pattern looks in the whole payload, therefor http_header; 
>> would not make sense? 
>> 
>> suggest changing to: 
>> content:".ch.vu|0D 0A|"; fast_pattern; http_header; 
>> 
>> To state it correct? 
>> I might be wrong... so correct me :) 
>> 
>> 
>> E 
>> _______________________________________________ 
>> Emerging-sigs mailing list 
>> Emerging-sigs@... 
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs 
>> 
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com 
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current! 
>> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


Gmane