Re: Snort-sigs Digest, Vol 100, Issue 8

[Tarzan538 NONO <sfalaptops () hotmail com>]

Hi Simon,
Here is my classification file;
# $Id: classification.config,v 1.5 2013/05/28 16:19:02 jesler Exp $# The following includes information for 
prioritizing rules# # Each classification includes a shortname, a description, and a default# priority for that 
classification.## This allows alerts to be classified and prioritized.  You can specify# what priority each 
classification has.  Any rule can override the default# priority for that rule.## Here are a few example rules:# #   
alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; #      dsize: > 128; classtype:attempted-admin; 
priority:10;##   alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \#             content:"expn root"; 
nocase; classtype:attempted-recon;)## The first rule will set its type to "attempted-admin" and override # the default 
priority for that type to 10.## The second rule set its type to "attempted-recon" and set its# priority to the default 
for that type.# 
## config classification:shortname,short description,priority#
config classification: not-suspicious,Not Suspicious Traffic,3config classification: unknown,Unknown Traffic,3config 
classification: bad-unknown,Potentially Bad Traffic, 2config classification: attempted-recon,Attempted Information 
Leak,2config classification: successful-recon-limited,Information Leak,2config classification: 
successful-recon-largescale,Large Scale Information Leak,2config classification: attempted-dos,Attempted Denial of 
Service,2config classification: successful-dos,Denial of Service,2config classification: attempted-user,Attempted User 
Privilege Gain,1config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1config classification: 
successful-user,Successful User Privilege Gain,1config classification: attempted-admin,Attempted Administrator 
Privilege Gain,1config classification: successful-admin,Successful Administrator Privilege Gain,1

# NEW CLASSIFICATIONSconfig classification: rpc-portmap-decode,Decode of an RPC Query,2config classification: 
shellcode-detect,Executable Code was Detected,1config classification: string-detect,A Suspicious String was 
Detected,3config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2config classification: 
suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2config classification: 
system-call-detect,A System Call was Detected,2config classification: tcp-connection,A TCP Connection was 
Detected,4config classification: trojan-activity,A Network Trojan was Detected, 1config classification: 
unusual-client-port-connection,A Client was Using an Unusual Port,2config classification: network-scan,Detection of a 
Network Scan,3config classification: denial-of-service,Detection of a Denial of Service Attack,2config classification: 
non-standard-protocol,Detection of a Non-Standard Protocol or Event,2config classification: 
protocol-command-decode,Generic Protocol Command Decode,3config classification: web-application-activity,Access to a 
Potentially Vulnerable Web Application,2config classification: web-application-attack,Web Application Attack,1config 
classification: misc-activity,Misc activity,3config classification: misc-attack,Misc Attack,2config classification: 
icmp-event,Generic ICMP event,3config classification: inappropriate-content,Inappropriate Content was Detected,1config 
classification: policy-violation,Potential Corporate Privacy Violation,1config classification: 
default-login-attempt,Attempt to Login By a Default Username and Password,2config classification: sdf,Sensitive Data 
was Transmitted Across the Network,2config classification: file-format,Known malicious file or file based 
exploit,1config classification: malware-cnc,Known malware command and control traffic,1config classification: 
client-side-exploit,Known client side exploit attempt,1
Here is my snort.config (Step #6).
#################################################### Step #6: Configure output plugins# For more information, see Snort 
Manual, Configuring Snort - Output Modules###################################################
# unified2 # Recommended for most installs# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, 
vlan_event_types
# Additional configuration for specific types of installs# output alert_unified2: filename snort.alert, limit 128, 
nostamp# output log_unified2: filename snort.log, limit 128, nostamp 
# syslog# output alert_syslog: LOG_AUTH LOG_ALERT
# pcap# output log_tcpdump: tcpdump.log
# metadata reference data.  do not modify these linesinclude C:\Snort\etc\classification.configinclude 
C:\Snort\etc\reference.config

Thank you,
Felix

> Message: 2
> Date: Wed, 24 Sep 2014 09:51:14 +0100
> From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
> Subject: Re: [Snort-sigs] Snort Rules Issues
> To: <snort-sigs () lists sourceforge net>
> Message-ID: <000601cfd7d4$b37d5dd0$1a781970$@wesseldine () idappcom com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi Felix,
>
>  
>
> You should have the following line, in step 6 of your snort.conf file:
>
>  
>
> include classification.config
>
>  
>
> There should be a line in your classification.config file that looks like
> this:
>
>  
>
> config classification: web-application-attack,Web Application Attack,1
>
>  
>
> You may have an outdated classifiction.config file that does not include all
> the new classifications.
>
>  
>
> # NEW CLASSIFICATIONS
>
> config classification: rpc-portmap-decode,Decode of an RPC Query,2
>
> config classification: shellcode-detect,Executable Code was Detected,1
>
> config classification: string-detect,A Suspicious String was Detected,3
>
> config classification: suspicious-filename-detect,A Suspicious Filename was
> Detected,2
>
> config classification: suspicious-login,An Attempted Login Using a
> Suspicious Username was Detected,2
>
> config classification: system-call-detect,A System Call was Detected,2
>
> config classification: tcp-connection,A TCP Connection was Detected,4
>
> config classification: trojan-activity,A Network Trojan was Detected, 1
>
> config classification: unusual-client-port-connection,A Client was Using an
> Unusual Port,2
>
> config classification: network-scan,Detection of a Network Scan,3
>
> config classification: denial-of-service,Detection of a Denial of Service
> Attack,2
>
> config classification: non-standard-protocol,Detection of a Non-Standard
> Protocol or Event,2
>
> config classification: protocol-command-decode,Generic Protocol Command
> Decode,3
>
> config classification: web-application-activity,Access to a Potentially
> Vulnerable Web Application,2
>
> config classification: web-application-attack,Web Application Attack,1
>
> config classification: misc-activity,Misc activity,3
>
> config classification: misc-attack,Misc Attack,2
>
> config classification: icmp-event,Generic ICMP event,3
>
> config classification: inappropriate-content,Inappropriate Content was
> Detected,1
>
> config classification: policy-violation,Potential Corporate Privacy
> Violation,1
>
> config classification: default-login-attempt,Attempt to Login By a Default
> Username and Password,2
>
> config classification: sdf,Sensitive Data was Transmitted Across the
> Network,2
>
> config classification: file-format,Known malicious file or file based
> exploit,1
>
> config classification: malware-cnc,Known malware command and control
> traffic,1
>
> config classification: client-side-exploit,Known client side exploit
> attempt,1
>
>  
>
>  
>
> I hope that helps.
>
> Best regards,
>
> Simon.
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> Message: 3
> Date: Wed, 24 Sep 2014 08:37:34 -0400
> From: Joe Gedeon <joe.gedeon () gmail com>
> Subject: [Snort-sigs] SID 31968 EXPLOIT-KIT Astrum exploit kit Adobe
>       Flash   exploit payload request
> To: snort-sigs () lists sourceforge net
> Message-ID:
>       <CAM1A6KxG4WYMjxc-MpWX4iR-agi_uqhkqrv1QZ=iEvatybQxgA () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> With this new signature we are getting quite a few false positives for this
> signature.   Looking at the documentation linked in the signature it seems
> the section about not having a referrer was common in these.  Is there
> documentation that shows a recent version of the Astrum exploit kit is now
> accepting requests with referrers in the header?
>
> "with Astrum : show a referer and you'll get ignored and IP banned.
> Firefox, Chrome and Opera are also ignored"
>
> It seems this rule is completely missing the exploit attempt and is
> creating a high number of false positives.
>
> A sample ascii packet that the rule is triggering on:
> 07:27:43.175856 IP (tos 0x0, ttl 127, id 19122, offset 0, flags [DF], proto
> TCP (6), length 1052)
>     192.168.1.28.58269 > 162.208.20.163.80: Flags [P.], cksum 0x617e
> (correct), seq 4175168287:4175169299, ack 3935329242, win 65280, length 1012
> E...J.@................P......[.P...a~..GET
> /v1/epix/6835069/3845993/81088/122369/PbqfCmHAMhCcRUIqqIAAE8wAAB3gEAOq9pAAAAAAAxr2GnBMbwAQ/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_JmMxPTgmYzI9NjAwMDAwNiZjMz04MTA4OCZjND0zODQ1OTkzJmM1PTE4OTI3JmM2PTY4MzUwNjkmYzEwPTEyMjM2OSZjdj0xLjcmY2o9MSZybj0xNDExNTU4MDI0JnI9aHR0cCUzQSUyRiUyRnBpeGVsLnF1YW50c2VydmUuY29tJTJGcGl4ZWwlMkZwLWNiNkMwekZGN2RXakkuZ2lmJTNGbGFiZWxzJTNEcC42ODM1MDY5LjM4NDU5OTMuMCUyQ2EuMTg5MjcuODEwODguMTIyMzY5JTJDdS45NjguNjQweDM2MCUzQm1lZGlhJTNEYWQlM0JyJTNEMTQxMTU1ODAyNA/cnbd.
> HTTP/1.1
> Accept: */*
> Accept-Language: en-US
> Referer:
> http://aka.spotxcdn.com/[[IMPORT]]/shim.btrll.com/shim/20140918.77768_master/Scout.swf?type=r&config_url_64=&hidefb=true&cx=&t=33&d=300x250&;
> x-flash-version: 11,8,800,175
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0;)
> Host: brxserv-20.btrll.com
> Connection: Keep-Alive
> Cookie: BR_APS=3VCKma0IBTLsBp5UnPw; DRN1=AGQclFQlufQ;
> MEB=BUqRdAABPPEAOtI8AAHejA
>
>
> -- 
> Registered Linux User # 379282
> -------------- next part --------------
> An HTML attachment was scrubbed...
>
> ------------------------------
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>
> ------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> End of Snort-sigs Digest, Vol 100, Issue 8
> ******************************************

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!