Snort mailing list archives
Re: ZeroAccess Supernode
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Fri, 6 Jun 2014 02:15:46 +0000
Andre, We generally (when I mean generally, I mean generally) don’t apply “alerting” thresholdholds to rules. We leave that up to the user. On Jun 5, 2014, at 11:16 AM, Andre DiMino <adimino () sempersecurus org<mailto:adimino () sempersecurus org>> wrote: Hi Carlos, As an FYI, On production boxes, I'm seeing the new community rule (1:31136) for inbound ZeroAccess as being a bit too noisy. I've tweaked it a bit to enable thresholding of 3 events in 60 seconds based on the destination IP. That seems to quiet it down a bit, yet provide accurate alerts for internal hosts potentially acting as a supernode. Andre' On Mon, Jun 2, 2014 at 10:41 AM, Carlos Pacho <cpacho () sourcefire com<mailto:cpacho () sourcefire com>> wrote: Hi Andre, The new rule looks good. We are going to add it to the community ruleset. Thanks, Carlos Pacho Research Engineer, VRT Sourcefire, now part of Cisco cpacho () sourcefire com<mailto:cpacho () sourcefire com> Sourcefire.com<http://www.sourcefire.com/> On Fri, May 30, 2014 at 11:59 AM, Andre DiMino <adimino () sempersecurus org<mailto:adimino () sempersecurus org>> wrote: $dayjob has been receiving reports that a few of our hosts are acting as ZeroAccess 'supernodes'. Since we have a bunch of ZeroAccess rules enabled, I was wondering why I didn't see them fire. It seems that rule sid:23493; rev:5 will fire on outbound traffic particular to this ZeroAccess incident, however it won't fire on the inbound traffic. alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/<http://www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/>; classtype:trojan-activity; sid:23493; rev:5; ) So I tweaked the rule as follows to allow for the alerting on inbound ZeroAccess: alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"ZeroAccess Supernode Inbound Traffic"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity;) I need to tweak thresholding a bit, but overall it has been working well in my limited tests. Any thoughts or comments? -- Andre' M. DiMino DeepEnd Research http://deependresearch.org<http://deependresearch.org/> http://sempersecurus.org<http://sempersecurus.org/> "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) ------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download<http://www.restlet.com/download> http://p.sf.net/sfu/restlet _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org<http://www.snort.org/> Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort! -- Andre' M. DiMino DeepEnd Research http://deependresearch.org<http://deependresearch.org/> http://sempersecurus.org<http://sempersecurus.org/> "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- ZeroAccess Supernode Andre DiMino (May 30)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 02)
- Re: ZeroAccess Supernode Andre DiMino (Jun 05)
- Re: ZeroAccess Supernode Joel Esler (jesler) (Jun 05)
- Re: ZeroAccess Supernode Carlos Pacho (Jun 02)