Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: backdoored ssh-decorator package

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 10 May 2018 16:23:03 +0000
Hi Phillip,

Thanks for the feedback. I do agree with the assessment of not adding the rule to community ruleset, given the 
fast_patterned 'index.php'. The concern was about existing installation base of the package, or if their are other 
packages exhibiting the same compromise.

For the sake of self-improvement, I have done some python documentation reading, the following statements standout:

"... urllib.request module uses HTTP/1.1 and includes Connection:close header in its HTTP requests."
"... If this header has not been provided and data is not None, Content-Type: application/x-www-form-urlencoded will be 
added as a default."
"... The default is 'GET' if data is None or 'POST' otherwise ..."

https://docs.python.org/3/library/urllib.request.html#urllib.request.urlopen

With the above in mind, the second revision becomes:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC backdoored ssh-decorator package outbound 
connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; fast_pattern:only; 
http_uri; content:"pkey="; http_uri; content:"port="; http_uri; content:"server="; http_uri; content:"password="; 
http_uri; content:"user="; http_uri; content:"Connection: close|0D 0A|"; http_header; content:"Content-Type: 
application/x-www-form-urlencoded"; http_header; metadata:ruleset community, service http; 
reference:url,https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package; 
classtype:trojan-activity; sid:8000050; rev:2;)

This is not to dispute the decision of not adding the rule to the community ruleset 😊. Its still not unique enough.

Thanks.
YM
________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Phillip Lee <phillile () sourcefire com>
Sent: Thursday, May 10, 2018 6:38 PM
To: wkitty42 () windstream net
Cc: snort-sigs () lists snort org
Subject: Re: [Snort-sigs] backdoored ssh-decorator package

Hi Yaser,
After reviewing the rule, we have decided not to add it to the community ruleset.  Their are two reasons:
1. The pip package in question has been taken down
2. The rule content would likely result in FPs due to generic use of parameters seen in other applications. Your 
general rule is OK (other than using ‘index.php’ as a fast_pattern - would enter way too often), its just that with 
those parameters, its not something unique to only the ssh-decorator package.

We sincerely appreciate your contribution.

Regards,
Phil Lee
Cisco Talos


On May 10, 2018, at 10:24 AM, wkitty42 () windstream net wrote:

On 05/09/2018 04:03 PM, Y M via Snort-sigs wrote:

Hi,
The below rule is derived from the reference. Simple testing with python is show below as illustrated in the 
screenshot in the reference.



was this thing fixed from the original(?) one? i've seen another one that misspells "password" one time... the 'w' 
and the 'o' are reversed...


--
NOTE: No off-list assistance is given without prior approval.
      *Please keep mailing list traffic on the list unless*
      *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: