Snort mailing list archives
Re: Multiple signatures 007
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Mon, 30 Jul 2018 15:01:43 -0400
On Mon, Jul 30, 2018 at 2:09 PM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, An existing sid (45907) from the ruleset may require updates. Please see the notes associated with sid 8000217 below. Pcaps available for most the rules below. # -------------------- # Date: 2018-07-29 # Title: CVE-2018-9919, Tpshop 2.0.8 Arbitrary File Download / SSRF # Reference: https://packetstormsecurity.com/files/147434/Tpshop-2.0.8- Arbitrary-File-Download-SSRF.html # Tests: syntax only alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop arbitrary file download attempt"; flow:to_server,established; urilen:>100; content:"/LinkTagTeet.php?"; fast_pattern:only; http_uri; content:"down_url="; http_uri; reference:cve,2018-9919; reference:url, packetstormsecurity.com/files/147434/Tpshop-2.0.8-Arbitrary-File-Download- SSRF.html; metadata:ruleset community, service http; classtype:attempted-admin; sid:8000215; rev:1;) # -------------------- # Date: 2018-07-30 # Title: A mining multitool - Symbiosis of PowerShell and EternalBlue for cryptocurrency mining # Reference: # - https://securelist.com/a-mining-multitool/86950/ # Tests: pcap # Confidence: low # Notes: # 1. This relates to the decimal/base64 encoded binary downloads with the same HTTP # response headers as reported in "Multiple signatures 006" sid 8000209-8000210. # This was a coincedence and the reference was observed on 2018-07-30. # 2. Not friendly with HTTP buffers/content matches. # 2. SID 1:33872, MALWARE-CNC Win.Worm.Urahu is still relevant. # 3. This maybe also referred to as Skillis, Rozena, Urahu, Nitol, PowerGhost, and similar to WannaMine. alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PowerGhost outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0+|0D 0A|"; fast_pattern:only; content:!"Connection"; metadata:ruleset community, service http; reference:url,securelist.com/a-mining-multitool/86950/; classtype:trojan-activity; sid:8000216; rev:1;) # -------------------- # Date: 2018-07-30 # Title: New Threat Actor Group DarkHydrus Targets Middle East Government # Reference: # - https://researchcenter.paloaltonetworks.com/2018/07/ unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ # Tests: pcap # Confidence: low # Notes: # 1. Existing sid 45907 requires modifications by changing the direction of the rule as follows: # alert udp $HOME_NET any -> $EXTERNAL_NET 53. This change is not posted below. # 2. SID 8000217 has pcre to help eliminate FPs. Maybe add detection_filter? alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"MALWARE-CNC excessive DNS large TXT response records with zero-based TTL"; flow:to_client; dsize:>250; content:"|00 10 00 01|"; content:"|00 00 00 00|"; distance:0; fast_pattern; byte_test:1,>,190,2,relative; pcre:"/[\x41-\x5a\x61-\x7a]{190,255}/"; metadata:ruleset community, service dns; classtype:trojan-activity; sid:8000217; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC inbound null SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|30 07 06 03 55 04 06 13 00 31 09|"; content:"|30 07 06 03 55 04 08 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 07 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 0A 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 0B 13 00 31 09|"; distance:0; content:"|30 07 06 03 55 04 03 13 00|"; distance:0; metadata:ruleset community, service ssl; classtype:trojan-activity; sid:8000218; rev:1;) # -------------------- # Date: 2018-07-30 # Title: PUA Adware Tweakbit # Reference: Research # - https://www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772a b452e58d0bb9f98ebda9153a2f0cc7f218/detection # Tests: pcap # Confidence: medium alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; urilen:8; content:"/collect"; fast_pattern:only; http_uri; content:"v="; http_client_body; content:"&tid="; http_client_body; content:"&cid="; http_client_body; content:"&ea="; http_client_body; content:"&el="; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000219; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/tools/offers/"; fast_pattern:only; http_uri; content:"data=|7B|"; http_client_body; content:"|22|protocol|22|"; http_client_body; content:"|22|product|22|"; http_client_body; content:"|22|oslanguage|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000220; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/tools/uninstalloffers/"; fast_pattern:only; http_uri; content:"request=|7B|"; http_client_body; content:"|22|protocol|22|"; http_client_body; content:"|22|product|22|"; http_client_body; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/ ba819dafd2f79f35d4fdafa57d772ab452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000221; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Tweakbit outbound connection"; flow:to_server,established; content:"/driverservice.asmx"; fast_pattern:only; http_uri; content:"SOAPAction: "; http_header; content:"<operatingSystemMajorVersion>"; http_client_body; metadata:ruleset community, service http; reference:url, www.virustotal.com/#/file/ba819dafd2f79f35d4fdafa57d772a b452e58d0bb9f98ebda9153a2f0cc7f218/detection; classtype:trojan-activity; sid:8000222; rev:1;) # -------------------- # Date: 2018-07-30 # Title: PUA Adware AdNaver # Reference: Research # - https://www.virustotal.com/#/file/9cab0520f4d7c3ecbc310e55282861 ca20d53959eaf6e93d8d6aa717347819da/detection # - https://app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5 # Tests: pcap # Confidence: low alert udp $HOME_NET any -> $EXTERNAL_NET 15000 (msg:"PUA-ADWARE AdNaver NAT service successful installation"; flow:to_server; content:"INSTALL|09|"; content:"|09 09|"; distance:36; content:"|5C|NAT Service|5C|"; content:"C:|5C|Users|5C|"; metadata:ruleset community; reference:url,app.any.run/tasks/16de6eff-d745-43d0-b463-a542e27ed4e5; classtype:trojan-activity; sid:8000223; rev:1;) Thanks. YM
Hi Yaser, As always, thanks for these submissions. We'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Multiple signatures 007 Y M via Snort-sigs (Jul 30)
- Re: Multiple signatures 007 Marcos Rodriguez (Jul 30)