Snort mailing list archives
Fwd: Re: Asprox Sig
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 12 Nov 2013 15:05:37 -0700
-------- Original Message -------- Subject: Re: [Snort-sigs] Asprox Sig Date: 2013-11-12 15:05 From: James Lay <jlay () slave-tothe-box net> To: Geoffrey Serrao <gserrao () sourcefire com> On 2013-11-12 15:00, Geoffrey Serrao wrote:
Hey James, Thanks for your contribution. Post data is actually stored in the http_client_body buffer (not http_header) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Asprox Outbound Traffic"; flow:to_server, established; content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b| WOW64|3b|rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only; http_header; content:"Content-Disposition|3a| form-data|3b|name=|22|key|22 3b| filename=|22|key.bin|22|"; http_client_body; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html [7]; classtype:bad-unknown; sid:10000111; rev:1;) Looks like a solid rule, the post data looks pretty unique. The VRT might recommend adding nocase to the second content match, but Im not sure its necessary. On Tue, Nov 12, 2013 at 4:05 PM, James Lay <jlay () slave-tothe-box net [8]> wrote:Ok..so how bad did I hose this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Asprox Outbound Traffic"; flow:to_server, established; content:"User-Agent: Mozilla|2f|5.0 |28|Windows NT 6.1|3b| WOW64|3b| rv:23.0|29| Gecko|2f|20100101 Firefox|2f|23.0"; fast_pattern:only; http_header; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22 3b| filename=|22|key.bin|22|"; http_header;reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html[1]; classtype:bad-unknown; sid:10000111; rev:1;) JamesGeoffrey J. Serrao SOURCEfire Technical Support My office hours are 10:00 AM to 7:00 PM Eastern time, Monday - Friday. If you need assistance outside of these hours, please contact support () sourcefire com [9] and another engineer will respond.
Thanks Alex and Geoffrey. Yea I was confused on just where Content-Disposition: landed...is it a header, or is it body? I was thinking of adding both key.bin and data.bin, but thought I'd just shoot for the one. Thank you! James ------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Asprox Sig James Lay (Nov 12)
- <Possible follow-ups>
- Fwd: Re: Asprox Sig James Lay (Nov 12)