FP on 1:44221:1

[Noah Dunker via Snort-sigs <snort-sigs () lists snort org>]

We had this rule hit a false positive over the weekend.

GET /images/Arrival.jpg HTTP/1.1
Host: oldbluejacket.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101
Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://oldbluejacket.com/bootcamp.htm

One of our analysts dug into some of the samples available via VirusTotal
(including the one in the reference URL) and added this tweak via
Oinkmaster:

modifysid 44221 "http_uri;" | "http_uri; content:\"|50 4B|\";
content:\"exe\"; content:\"html\";"

The resulting signature seems to fire on verified malicious samples.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Ransomware.SyncCrypt variant initial outbound connection";
flow:to_server,established; urilen:19; content:"/images/arrival.jpg";
fast_pattern:only; http_uri; content:"|50 4B|"; content:"exe";
content:"html"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; reference:url,
virustotal.com/#/file/3049a568c1c1cd4d225f8f333bf05e4560c8f9de5f167201253fedf35142fe3e/detection;
classtype:trojan-activity; sid:44221; rev:2;)


Cheers.


<https://riskanalytics.com/>


*Noah Dunker*VP of Engineering
Office / 913.685.6517
PGP / 4886 929b ba09 09be
<http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4886929BBA0909BE>
ndunker () riskanalytics com

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!