question regarding distance 0 modifier

[James Dickenson <jdickenson () gmail com>]

Hello all,

I have two rules that are looking for variables passed in the uri in the
form of h1=, h2=, etc.
The rules are using the distance 0 modifier between each content match,
which I'm interpreting as meaning 0 bytes distance between this match and
the last content match.  Is that correct or am I misinterpreting the use of
the modifier? This is in relation to the putter panda crowdstrike report
and I'm trying to figure out if the rules are written wrong or if I'm just
making a mistake.

Here are two examples one taken from the zcaler report referenced in the
below rule and the crowdstrike report as well.

GET /search513417?h1=51&h2=1&h3=213383&h4=FMFEFEFHAEBIBLFPFLFCACFC
GET /search521649?h1=51&h2=1&h3=N07630&h4=FKFDFDAHAEBAEPFLFK

Thanks in advance for the help!

-James

indicators here:
http://www.crowdstrike.com/sites/default/files/putterpanda.txt
and


The rules in question:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established;
content:"/search"; http_uri; content:"?h1="; fast_pattern; http_uri;
content:"&h2="; distance:0; http_uri; content:"&h3="; distance:0; http_uri;
content:"User-Agent|3a| Mozilla/5.0 (compatible|3B|"; http_header;
reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,
www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,
research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html;
reference:url,
blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html;
classtype:trojan-activity; sid:2014174; rev:4;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MsUpdater variant outbound connection";
flow:to_server,established; content:"/search"; http_uri; content:"?h1=";
distance:0; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3=";
distance:0; http_uri; content:"&h4="; distance:0; http_uri;
content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|"; http_header;
pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, service http;
reference:url,
www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/;
classtype:trojan-activity; sid:21240; rev:7;)

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!