Thierry Chich | 1 Feb 11:40 2010
Picon

FP ET RBN Known Russian Business Network IP UDP

Hello,

I have an huge amount of alerts from these rules, mainly because of DNS 
traffic. It seems there is official DNS Servers in these networks. It 
seems to me that an alert shoudn't be triggered about a dns request 
towards these networks. Even if it could be interpreted as the symptom 
of a compromised host, it is really difficult to find it, since there 
can be a lot of dns forwarders involved.

I suggest that this kind of rules take !53 as destination port.

Thierry Chich

PS: Don't forget, I am not the sourcefire troll. My english grammar is 
really poor, and I am really french. It is not a clever ruse.

Kevin Ross | 1 Feb 13:49 2010

8 Sigs

All of these have been tested and are working. Kev

alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; content:!"|0A|"; within:55; isdataat:55,relative; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; sid:18000211; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible FreePBX admin/config.php Password Information Disclosure Attempt"; flow:established,to_server; uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; uricontent:"userdisplay="; nocase; pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+userdisplay\x3D[a-z]/Ui"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37848; sid:18000212; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible FreePBX config.php SQL Injection Attempt"; flow:established,to_server; uricontent:"/admin/config.php"; nocase; uricontent:"display="; nocase; uricontent:"filter="; nocase; pcre:"/\x2Fadmin\x2Fconfig\x2Ephp.+display\x3D.+filter\x3D.+(SELECT.+FROM|DELETE.+FROM|UPDATE.+SET|INSERT.+INTO|UNION.+SELECT)/Ui"; classtype:web-application-attack; reference:url,www.securityfocus.com/bid/37847; sid:18000213; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; distance:0; content:"ViewProfile"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37834; sid:18000214; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt"; flow:established,to_server; uricontent:"/zport/dmd/ZenUsers/admin"; nocase; uricontent:"defaultAdminLevel"; nocase; uricontent:"manage_editUserSettings"; nocase; uricontent:"method=Save"; nocase; uricontent:"password="; nocase; uricontent:"zenScreenName=editUserSettings"; nocase; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000215; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; uricontent:"commandId="; nocase; pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000216; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/userCommands/ping"; nocase; uricontent:"commandId=ping"; nocase; uricontent:"manage_editUserCommand"; nocase; uricontent:"ScreenName=userCommandDetail"; nocase; classtype:web-application-attack; reference:www.securityfocus.com/bid/37843; sid:18000217; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; content:!"|0A|"; within:200; isdataat:200,relative; pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; sid:18000218; rev:1;) 


Kevin Ross | 1 Feb 14:56 2010

SIG:Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; content:"%"; within:50; content:!"|0A|"; within:42000; isdataat:42000,relative; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; reference:cve,2009-4195; sid:18000219; rev:1;)

Kev


Picon

Re: FP ET RBN Known Russian Business Network IP UDP

Thierry, I too have noticed this and I use a sed recipe to do this exact 
thing; not trigger on DNS traffic.  I've had some instances where known 
DNS providers like eNOM/GoDaddy were classified as RBN or Bot C&C.  This 
causes some definite issues regarding DNS.  I am only doing this for UDP 
53, not TCP 53, since I want to see AXFR/ IXFR.

If there isn't much contention in doing this it may be a good idea to 
implement this against these rules.

#Do not block on DNS egress due to false positives and resolution failure.
/bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-rbn.rules
/bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-compromised.rules
/bin/sed -i 's/^alert udp\(.*\) any -> \(.*\)$/alert udp\1 \!53 -> \2/g' ./emerging-botcc.rules

I'm laughing at the PS line.  Curious, since you're French, is "Guise" 
even a French name?

-evilghost

Thierry Chich wrote:
> Hello,
>
> I have an huge amount of alerts from these rules, mainly because of DNS 
> traffic. It seems there is official DNS Servers in these networks. It 
> seems to me that an alert shoudn't be triggered about a dns request 
> towards these networks. Even if it could be interpreted as the symptom 
> of a compromised host, it is really difficult to find it, since there 
> can be a lot of dns forwarders involved.
>
> I suggest that this kind of rules take !53 as destination port.
>
>
> Thierry Chich
>
> PS: Don't forget, I am not the sourcefire troll. My english grammar is 
> really poor, and I am really french. It is not a clever ruse.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>   

Picon

Re: Proposed Signature - Oficla Check-In(DHLSPAM/Malware Campaign)

As time progresses the volume of false positives seems to increase, I'm 
seeing this against Fox Sports as well.  I recommend we revert to the 
original proposed signature, with minor changes, inclusive of the PCRE 
to anchor cast, to eliminate the FPs.  As of now the FP rate is too high 
to reliably use the signature.  Thoughts?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Check-in"; 
flow:established,to_server; 
content:!"|0d 0a|Referer\: "; nocase;
content:!"|0d 0a|Accept-Encoding\: "; nocase;
uricontent:".php?v="; nocase; uricontent:"&id=; nocase; uricontent:"&b=";
nocase; uricontent:"&tm="; nocase; 
pcre:"/\.php\?v=\d+&id=\d+&b=[a-z]+&tm=\d+/Ui";
classtype:trojan-activity;
reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c;
sid:2010xxx; rev:1);

-evilghost

evilghost@... wrote:
> I am seeing this as well, falsing against ads.  Can we consider using 
> the original signature with the PCRE and strict ordering?
>
> Mike Cox wrote:
>   
>> I like this rule but it is falsing a lot for things like ads.  As much as I
>> hate to say it, perhaps we need to use a PCRE and enforce strict URI
>> parameter order....
>>
>> -Mike Cox
>   

dn1nj4 | 1 Feb 15:18 2010

Proposed Signature: Zbot/Zeus Download Request

For your consideration...

Original Traffic (Host was one of about 10 different domains): 
GET /php/cfg.bin HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

GET /~parti3an/qvadro/cfg.bin HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Signature: 
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Zbot/Zeus Download Request"; content:"GET "; depth:4;
pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; content:"
Win32)|0d 0a|"; classification:trojan-activity;
reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;
sid:2010xxx;)

dn1nj4

Kevin Ross | 1 Feb 15:27 2010

Re: SIG:Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow

thanks, changed the isdataat  and the !"|0A|" around in this and another 2 sigs I submitted. PCRE is not 100% needed but is there as a final check. Also the vulnerability is triggered if the content after the DSC comment is larger than 42000 bytes as you can read here http://www.securityfocus.com/archive/1/508175.

alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; classtype:attempted-admin; reference:url,www.securityfocus.com/bid/38010; sid:18000211; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible Linux/EasySoftware HTMLDOC html File Handling Remote Stack Buffer Overflow Attempt"; flow:established,to_client; content:"MEDIA SIZE"; nocase; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/MEDIA SIZE.{200}/smi"; classtype:attempted-user; reference:cve,2009-3050; sid:18000218; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt"; flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; content:"%"; within:50; isdataat:42000,relative; content:!"|0A|"; within:42000; pcre:"/ADO\x5FDSC\x5FEncoding\x3A.+\x25.{42000}/smi"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; reference:cve,2009-4195; sid:18000219; rev:1;)

Thanks for the pointer, Kev

On 1 February 2010 08:11, rmkml <rmkml-GANU6spQydw@public.gmane.org> wrote:
Hi kevin,
thx for this sig but I have three question please
-Why you have written this sig with isdataat after content negate ?
-pcre is not necessary hear
-42000 is too high ?
maybe rewrite this sig:

 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Attempt";
 flow:established,to_client; content:"ADO_DSC_Encoding|3A 20|"; nocase; content:"%"; within:50; isdataat:1000,relative; content:!"|0A|"; within:1000;

 classtype:attempted-user; reference:url,www.securityfocus.com/bid/37192; reference:cve,2009-4195; sid:18000219; rev:1;)
Regards
Rmkml


Picon

Re: Proposed Signature: Zbot/Zeus Download Request

What's your thoughts on adding a content or uricontent match to avoid 
having to invoke the PCRE engine so often?  We did have something close 
to this, SID 2010348, but it looks like it's disabled by default and the 
PCRE would miss the tilde in the first URL.  There may be some useful 
items in 2010348 that could apply here, such as lack of HTTP REFERER and 
Accept: */*, that could be used to reduce FP potential.

-evilghost

dn1nj4 wrote:
> For your consideration...
>
> Original Traffic (Host was one of about 10 different domains): 
> GET /php/cfg.bin HTTP/1.0
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
>
> GET /~parti3an/qvadro/cfg.bin HTTP/1.0
> Accept: */*
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
>
> Signature: 
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Zbot/Zeus Download Request"; content:"GET "; depth:4;
> pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; content:"
> Win32)|0d 0a|"; classification:trojan-activity;
> reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;
> sid:2010xxx;)
>
> dn1nj4
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>   

Mike Cox | 1 Feb 15:33 2010
Picon

Re: Proposed Signature: Zbot/Zeus Download Request

My understanding is that snort processes the rule left to right so in this case the pcre would be evaluated before the last content directive which is not good for performance.  Also, you could use the http_header directive to limit the Win32 search to the HTTP header buffer but I don't think the ET rulesets "support" that directive yet.  Something like:

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"Win32)|0d 0a|"; pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; classification:trojan-activity; reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/; sid:2010xxx; rev:2;)

-Mike Cox

On Mon, Feb 1, 2010 at 8:18 AM, dn1nj4 <dn1nj4-1l/q1mNiBJ2rmrRyJdmTCA@public.gmane.org> wrote:
For your consideration...

Original Traffic (Host was one of about 10 different domains):
GET /php/cfg.bin HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

GET /~parti3an/qvadro/cfg.bin HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)

Signature:
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Zbot/Zeus Download Request"; content:"GET "; depth:4;
pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/"; content:"
Win32)|0d 0a|"; classification:trojan-activity;
reference:url,www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;
sid:2010xxx;)

dn1nj4

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs <at> emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


dn1nj4 | 1 Feb 15:47 2010

Re: Emerging-sigs Digest, Vol 27, Issue 2

Thanks for the feedback.  Drawing on evilghost and Mike's recommendations: 

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"|0d
0a|Accept|3a| */*|0d 0a|"; content:"Win32)|0d
0a|"; content:!"|0d 0a|Referrer|3a|";
pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/";
classification:trojan-activity; reference:url,
www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;
sid:2010xxx; rev:3;)

evilghost: 
My original thought was to reduce FPs by the simple inclusion of the Win32
User-Agent, which does not appear to be valid.

dn1nj4

> Message: 6
> Date: Mon, 1 Feb 2010 08:30:12 -0600
> From: "evilghost@..." <evilghost@...>
> Subject: Re: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download
> 	Request
> To: "emerging-sigs@..."
> 	<emerging-sigs@...>
> Message-ID: <4B66E574.2010807@...>
> Content-Type: text/plain; charset="us-ascii"
> 
> What's your thoughts on adding a content or uricontent match to avoid 
> having to invoke the PCRE engine so often?  We did have something close 
> to this, SID 2010348, but it looks like it's disabled by default and the 
> PCRE would miss the tilde in the first URL.  There may be some useful 
> items in 2010348 that could apply here, such as lack of HTTP REFERER and 
> Accept: */*, that could be used to reduce FP potential.
> 
> -evilghost
> 
> ------------------------------
> 
> Message: 7
> Date: Mon, 1 Feb 2010 08:33:58 -0600
> From: Mike Cox <mike.cox52@...>
> Subject: Re: [Emerging-Sigs] Proposed Signature: Zbot/Zeus Download
> 	Request
> To: dn1nj4 <dn1nj4@...>
> Cc: emerging-sigs@...
> Message-ID:
> 	<6116b9e21002010633v4f349e50w31da671ea2cf6c9e@...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> My understanding is that snort processes the rule left to right so in
this
> case the pcre would be evaluated before the last content directive which
is
> not good for performance.  Also, you could use the http_header directive
to
> limit the Win32 search to the HTTP header buffer but I don't think the ET
> rulesets "support" that directive yet.  Something like:
> 
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Zbot/Zeus Download Request"; content:"GET "; depth:4; content:"Win32)|0d
> 0a|"; pcre:"/\/(rec\.php|ip\.php|config\.bin|cfg\.bin|cfg2\.bin)/";
> classification:trojan-activity; reference:url,
>
www.blog.malc0de.com/2009/12/16/list-of-zeuszbot-command-and-control-servers/;
> sid:2010xxx; rev:2;)
> 
> -Mike Cox


Gmane