Snort mailing list archives
Re: ZeroAccess Supernode
From: Andre DiMino <adimino () sempersecurus org>
Date: Thu, 5 Jun 2014 11:16:17 -0400
Hi Carlos, As an FYI, On production boxes, I'm seeing the new community rule (1:31136) for inbound ZeroAccess as being a bit too noisy. I've tweaked it a bit to enable thresholding of 3 events in 60 seconds based on the destination IP. That seems to quiet it down a bit, yet provide accurate alerts for internal hosts potentially acting as a supernode. Andre' On Mon, Jun 2, 2014 at 10:41 AM, Carlos Pacho <cpacho () sourcefire com> wrote:
Hi Andre, The new rule looks good. We are going to add it to the community ruleset. Thanks, Carlos Pacho Research Engineer, VRT Sourcefire, now part of Cisco cpacho () sourcefire com Sourcefire.com <http://www.sourcefire.com/> On Fri, May 30, 2014 at 11:59 AM, Andre DiMino <adimino () sempersecurus org> wrote:$dayjob has been receiving reports that a few of our hosts are acting as ZeroAccess 'supernodes'. Since we have a bunch of ZeroAccess rules enabled, I was wondering why I didn't see them fire. It seems that rule sid:23493; rev:5 will fire on outbound traffic particular to this ZeroAccess incident, however it won't fire on the inbound traffic. alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url, www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23493; rev:5; ) So I tweaked the rule as follows to allow for the alerting on inbound ZeroAccess: alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"ZeroAccess Supernode Inbound Traffic"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity;) I need to tweak thresholding a bit, but overall it has been working well in my limited tests. Any thoughts or comments? -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) ------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ZeroAccess Supernode Andre DiMino (May 30)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 05)
- Re: ZeroAccess Supernode Joel Esler (jesler) (Jun 05)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)