Snort mailing list archives
Re: [Emerging-Sigs] Coverage for the "Night Dragon" Trojan
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Thu, 10 Feb 2011 16:31:58 -0500
Thats what we have now Mike, thanks! The fixed rules are now available! Matt On Feb 10, 2011, at 4:29 PM, Mike Iacovacci wrote:
The offset and depth are correct at 12 and 4 respectively (offset is from the data payload not the entire frame), however the pcre will not match because the "plain text signature" we are looking for is 'hW$' i.e. \x68\x57\x24\x13 (see traffic sample below) therefore I would propose the following signature: alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:xxxxxx; gid:1; content:"|68 57 24 13|"; rawbytes; offset:12; depth:4; msg:"Night Dragon C&C"; classtype:trojan-activity; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; rev:1; ) traffic sample: 0000 00 17 f2 e6 88 5e 00 0c 29 64 61 33 08 00 45 00 .....^.. )da3..E. 0010 00 38 b9 de 40 00 80 06 bc ca c0 a8 01 5b c0 a8 .8..@... .....[.. 0020 01 6b 05 42 00 50 db 8f 01 c1 41 6f 0e d9 50 18 .k.B.P.. ..Ao..P. 0030 ff 32 04 b5 00 00 03 50 00 00 00 00 00 c2 63 16 .2.....P ......c. 0040 01 00 68 57 24 13 ..hW$. - Mike Iacovacci On Thu, Feb 10, 2011 at 4:19 PM, Nick Randolph <randolphdavidn () gmail com> wrote: I missed that on the offset and depth. On Thu, Feb 10, 2011 at 4:01 PM, Mike Cox <mike.cox52 () gmail com> wrote:Hmmm ... this sounds like the sig I proposed to Emerging Threats this morning but got no feedback on. Sourcefire, please let me know where to send the bill. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|"; offset:12; depth:4; http_body; pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P"; classtype:trojan-activity; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; sid:2011213456;) -Mike Cox On Thu, Feb 10, 2011 at 2:27 PM, Matt Olney <molney () sourcefire com> wrote:Hey ET folks who are here... If you guys could pass on this information: The rules provided won't fire on Night Dragon C&C traffic.. The offset:66 is calculated from the beginning of the Layer 2 portion of the packet. The data portion (what Snort looks at) starts at offset 54. The correct offset for the rule should be 12. Also, you probably want to add a depth: qualifier of 3 bytes so you don't false positive further down the packet. Don't normally check in on you guys, but this was important enough to check. Matt On Thu, Feb 10, 2011 at 2:47 PM, evilghost () packetmail net <evilghost () packetmail net> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/10/11 13:41, Joel Esler wrote:Registered users will have the normal 30 day wait.Joel, I think this is ok to post here... Those who are looking for coverage who are not VRT subscribers they're in Emerging-Threats (http://www.emergingthreats.net). There's an ongoing discussion here regarding several signatures which have been proposed for inclusion, see http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html Disclaimer - I have no vested interest in EmergingThreats, I'm just a simple/normal community participant there. - -- It has been said that "hate" is a powerful emotion, perhaps that's why I'm so strong. - -evilghost -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/ JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+ 1sA7AJfGJLvnEdRHpwbi =3lHv -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org_______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!_______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current! _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Re: Coverage for the "Night Dragon" Trojan, (continued)
- Re: Coverage for the "Night Dragon" Trojan Matt Olney (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Matthew Jonkman (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Mike Cox (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Matt Olney (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Matt Olney (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Mike Cox (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Matthew Jonkman (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Mike Cox (Feb 10)
- Re: Coverage for the "Night Dragon" Trojan Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Coverage for the "Night Dragon" Trojan Nick Randolph (Feb 11)
- Re: [Emerging-Sigs] Coverage for the "Night Dragon" Trojan Mike Iacovacci (Feb 11)
- Re: [Emerging-Sigs] Coverage for the "Night Dragon" Trojan Matthew Jonkman (Feb 10)