Re: ZeroAccess Supernode

["Joel Esler (jesler)" <jesler () cisco com>]

Andre,

We generally (when I mean generally, I mean generally) don’t apply “alerting” thresholdholds to rules.  We leave that 
up to the user.



On Jun 5, 2014, at 11:16 AM, Andre DiMino <adimino () sempersecurus org<mailto:adimino () sempersecurus org>> wrote:

Hi Carlos,

As an FYI,  On production boxes, I'm seeing the new community rule (1:31136) for inbound ZeroAccess as being a bit too 
noisy.
I've tweaked it a bit to enable thresholding of 3 events in 60 seconds based on the destination IP.
That seems to quiet it down a bit, yet provide accurate alerts for internal hosts potentially acting as a supernode.

Andre'


On Mon, Jun 2, 2014 at 10:41 AM, Carlos Pacho <cpacho () sourcefire com<mailto:cpacho () sourcefire com>> wrote:
Hi Andre,

The new rule looks good. We are going to add it to the community ruleset.

Thanks,


Carlos Pacho
Research Engineer, VRT
Sourcefire, now part of Cisco
cpacho () sourcefire com<mailto:cpacho () sourcefire com>
Sourcefire.com<http://www.sourcefire.com/>


On Fri, May 30, 2014 at 11:59 AM, Andre DiMino <adimino () sempersecurus org<mailto:adimino () sempersecurus org>> 
wrote:
$dayjob has been receiving reports that a few of our hosts are acting as ZeroAccess 'supernodes'.
Since we have a bunch of ZeroAccess rules enabled, I was wondering why I didn't see them fire.

It seems that rule sid:23493; rev:5 will fire on outbound traffic particular to this ZeroAccess incident, however it 
won't fire on the inbound traffic.

alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound 
communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy 
balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; 
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/<http://www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/>;
 classtype:trojan-activity; sid:23493; rev:5; )

So I tweaked the rule as follows to allow for the alerting on inbound ZeroAccess:

alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"ZeroAccess Supernode Inbound Traffic"; 
flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips 
drop, policy connectivity-ips drop, policy security-ips drop; classtype:trojan-activity;)

I need to tweak thresholding a bit, but overall it has been working well in my limited tests.
Any thoughts or comments?

--

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org<http://deependresearch.org/>
http://sempersecurus.org<http://sempersecurus.org/>

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download<http://www.restlet.com/download>
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>


Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!




--

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org<http://deependresearch.org/>
http://sempersecurus.org<http://sempersecurus.org/>

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!