Re: Sourcefire VRT Certified Snort Rules Update 2015-01-27

["Joel Esler (jesler)" <jesler () cisco com>]

Yeah. Pcaps would help. I think we can isolate the false positives, just want some examples to check against.

--
Joel Esler
Sent from my iPhone

On Jan 28, 2015, at 9:29 AM, Jeff Stebelton <sysprobe9127 () gmail com<mailto:sysprobe9127 () gmail com>> wrote:

Seeing some false positives here. Latest ones appear to be an Amazon app using the Mozilla/5.0 User Agent..

On Wed, Jan 28, 2015 at 9:03 AM, Rodgers, Anthony (DTMB) <RodgersA1 () michigan gov<mailto:RodgersA1 () michigan gov>> 
wrote:
It looks like the 'content:"/2507US-1/"; ' match has been removed from 1:31557 in rev 3, which is causing a lot of 
apparent FPs on our network. Anyone else seeing this?

Rev 2: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent 
string - Mozilla/5.0 - Win.Backdoor.Andromeda"; flow:to_server,established; content:"/2507US-1/"; http_uri; 
content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; fast_pattern:5,20; nocase; http_header; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; 
reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/<http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>;
 classtype:trojan-activity; sid:31557; rev:2; )

Rev 3: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST USER-AGENT known malicious user-agent 
string - Mozilla/5.0 - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0|0D 0A|"; 
fast_pattern:5,20; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, 
service http; 
reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/<http://www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/>;
 classtype:trojan-activity; sid:31557; rev:3; )

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)

-----Original Message-----
From: Research [mailto:research () sourcefire com<mailto:research () sourcefire com>]
Sent: Tuesday, January 27, 2015 12:42
To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>
Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2015-01-27

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
The VRT has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-multimedia, file-pdf, 
indicator-compromise, malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule sets to provide 
coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFUx80xQLjqI2QiHVMRAvgyAJ4i4BtN6tT8rbRFuADxU9Q5XFkt2QCfWyFr
92zwsadqdriaRWRP5EFdlFc=
=Q9n5
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership 
with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to 
news, videos, case studies, tutorials and more. Take a look and join the conversation now. 
http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!