Snort mailing list archives
question regarding distance 0 modifier
From: James Dickenson <jdickenson () gmail com>
Date: Thu, 17 Jul 2014 16:56:36 -0700
Hello all, I have two rules that are looking for variables passed in the uri in the form of h1=, h2=, etc. The rules are using the distance 0 modifier between each content match, which I'm interpreting as meaning 0 bytes distance between this match and the last content match. Is that correct or am I misinterpreting the use of the modifier? This is in relation to the putter panda crowdstrike report and I'm trying to figure out if the rules are written wrong or if I'm just making a mistake. Here are two examples one taken from the zcaler report referenced in the below rule and the crowdstrike report as well. GET /search513417?h1=51&h2=1&h3=213383&h4=FMFEFEFHAEBIBLFPFLFCACFC GET /search521649?h1=51&h2=1&h3=N07630&h4=FKFDFDAHAEBAEPFLFK Thanks in advance for the help! -James indicators here: http://www.crowdstrike.com/sites/default/files/putterpanda.txt and The rules in question: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; content:"/search"; http_uri; content:"?h1="; fast_pattern; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B|"; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url, www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url, research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url, blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014174; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound connection"; flow:to_server,established; content:"/search"; http_uri; content:"?h1="; distance:0; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri; content:"&h4="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; http_header; pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url, www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; classtype:trojan-activity; sid:21240; rev:7;)
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question regarding distance 0 modifier James Dickenson (Jul 17)
- Re: question regarding distance 0 modifier Joel Esler (jesler) (Jul 18)
- Re: question regarding distance 0 modifier James Dickenson (Jul 18)
- Re: question regarding distance 0 modifier Joel Esler (jesler) (Jul 18)