Fwd: Re: Asprox Sig

[James Lay <jlay () slave-tothe-box net>]

-------- Original Message --------
Subject: Re: [Snort-sigs] Asprox Sig
Date: 2013-11-12 15:05
 From: James Lay <jlay () slave-tothe-box net>
To: Geoffrey Serrao <gserrao () sourcefire com>

On 2013-11-12 15:00, Geoffrey Serrao wrote:
> Hey James,
>
> Thanks for your contribution. 
>
> Post data is actually stored in the http_client_body buffer (not
> http_header)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-CNC
>  Win32/Asprox Outbound Traffic"; flow:to_server, established;
> content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b|
> WOW64|3b|rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0";
> fast_pattern:only; http_header;
> content:"Content-Disposition|3a| form-data|3b|name=|22|key|22 3b|
> filename=|22|key.bin|22|"; http_client_body;
>
> reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html
> [7];
> classtype:bad-unknown; sid:10000111; rev:1;)
>
> Looks like a solid rule, the post data looks pretty unique. 
>
> The VRT might recommend adding nocase to the second content match, 
> but
> Im not sure its necessary. 
>
> On Tue, Nov 12, 2013 at 4:05 PM, James Lay <jlay () slave-tothe-box net
> [8]> wrote:
>
> > Ok..so how bad did I hose this:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"MALWARE-CNC
> > Win32/Asprox Outbound Traffic"; flow:to_server, established;
> > content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b|
> > WOW64|3b|
> > rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only;
> > http_header; content:"Content-Disposition|3a| form-data|3b|
> > name=|22|key|22 3b| filename=|22|key.bin|22|"; http_header;
>
> reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html
> > [1];
> > classtype:bad-unknown; sid:10000111; rev:1;)
> >
> > James
>
> Geoffrey J. Serrao
> SOURCEfire Technical Support
> My office hours are 10:00 AM to 7:00 PM Eastern time, Monday - 
> Friday.
> If you need assistance outside of these hours, please contact
> support () sourcefire com [9] and another engineer will respond.

Thanks Alex and Geoffrey.

Yea I was confused on just where Content-Disposition: landed...is it a 
header, or is it body?  I was thinking of adding both key.bin and 
data.bin, but thought I'd just shoot for the one.  Thank you!

James


------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!