Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Caphaw sigs

From: Joel Esler <jesler () sourcefire com>
Date: Sat, 21 Sep 2013 21:57:01 -0400
Thanks!  We'll get these tested. 


--
Joel Esler
Sent from my iPad


On Sep 20, 2013, at 7:09 PM, Y M <snort () outlook com> wrote:

Second paragraph under "Use of DGA" from the reference: 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Caphaw outbound connection 
attempt"; flow:to_server,established; content:"/ping.html?r="; http_uri; fast_pattern:only; content:!"/utils/"; 
metadata: impact_flag red; policy balanced-ips drop, policy security-ips drop, ruleset community, service http; 
reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; classtype:trojan-activity; 
sid:100044; rev:1;)

Another rule can be devised from the reference which is similar to sid:27538, with a slimodification to the first 
content match and an additional content match for "localhost":

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany 
Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"localhost"; content:"|55 04 0A 
13 0E|MyCompany Ltd"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ssl; 
reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; 
reference:url,en.wikipedia.org/wiki/Self-signed_certificate; 
reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; 
sid:100045; rev:1;)
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: