[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] SIGS: Exploit Kit Detection (With Blackhole Detections)
From: Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date: 2013-10-28 14:58:44
Message-ID: CAKrkXrPSHiexLggPbuVoRR_JtkqwUSnRv=B+AriO1iSdr8SKTA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Still looking... :)
On Mon, Oct 28, 2013 at 9:54 AM, Kevin Ross <kevross33@googlemail.com>wrote:
> and what about 165631 for the Java? That one has served me pretty well in
> true positive vs false rate :)
>
>
> On 28 October 2013 14:49, Will Metcalf <william.metcalf@gmail.com> wrote:
>
>> 165632 In my tests probably doesn't add much more than the existing EXE
>> INFO sigs. If you guy's decide you want it added we should at least change
>> the msg as I see just as many if not more legit apps than evil apps.
>>
>> Regards,
>>
>> Will
>>
>>
>> On Mon, Oct 21, 2013 at 3:09 AM, Kevin Ross <kevross33@googlemail.com>wrote:
>>
>>> Hi,
>>>
>>> I have submitted 3 of these sigs before but never got any feedback. I
>>> have also created one more this morning based on a bit of digging into
>>> patterns as a test. They are reliable in generic exploit kit detections and
>>> so I think very useful for consideration.
>>>
>>> # These 3 signatures work extremely reliably in their True Positive Vs
>>> False Positive ratio.
>>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Java File
>>> Sent With X-Powered By HTTP Header - Common In Exploit Kits";
>>> flow:established,to_client; content:"Content-Type|3A|
>>> application/java-archive"; http_header; fast_pattern:25,13;
>>> content:"X-Powered-By|3A| PHP/"; http_header; file_data; content:"PK";
>>> within:2; classtype:bad-unknown; sid:165631; rev:1;)
>>>
>>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable
>>> File Sent With X-Powered By HTTP Header - Common In Exploit Kits";
>>> flow:established,to_client; content:"X-Powered-By|3A| PHP/"; http_header;
>>> file_data; content:"MZ"; within:2; content:"PE|00 00|"; distance:0;
>>> classtype:bad-unknown; sid:165632; rev:1;)
>>>
>>> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Size
>>> Under 30K Size - Potentially Hostile"; flow:established,to_client;
>>> content:"Content-Type|3A| application/java-archive"; http_header;
>>> fast_pattern:26,12; content:"Content-Length|3A| "; http_header;
>>> content:"|0D 0A|"; http_header; distance:5; within:2; file_data;
>>> content:"PK"; within:2;
>>> pcre:"/Content\x2DLength\x3A\x20(1|2)\d{4}\x0D\x0A/H";
>>> classtype:bad-unknown; sid:183992; rev:1;)
>>>
>>> # This is an experimental sig I am yet to test. However looking back
>>> over about 4 days of stuff where I do have plenty users that have Java
>>> stuff going on this seems rare that the URI should be .php?. In fact only
>>> incident of it in multiple days of traffic was the exploit kit.
>>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java Request
>>> To PHP Site - Potential Java Exploit"; flow:established,to_server;
>>> content:".php?"; http_uri; content:"Java/"; http_header;
>>> pcre:"/User\x2DAgent\x3A\x20[^\r\n]*Java\x2F/H"; classtype:bad-unknown;
>>> sid:183993; rev:1;)
>>>
>>> Kind Regards,
>>> Kevin
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs@lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>> The ONLY place to get complete premium rulesets for all versions of
>>> Suricata and Snort 2.4.0 through Current!
>>>
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
[Attachment #5 (text/html)]
<div dir="ltr">Still looking... :)</div><div class="gmail_extra"><br><br><div \
class="gmail_quote">On Mon, Oct 28, 2013 at 9:54 AM, Kevin Ross <span \
dir="ltr"><<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">and what about 165631 for the Java? That one \
has served me pretty well in true positive vs false rate :)<br> </div><div \
class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div \
class="gmail_quote">On 28 October 2013 14:49, Will Metcalf <span dir="ltr"><<a \
href="mailto:william.metcalf@gmail.com" \
target="_blank">william.metcalf@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>165632 In my tests probably \
doesn't add much more than the existing EXE INFO sigs. If you guy's decide \
you want it added we should at least change the msg as I see just as many if not more \
legit apps than evil apps.<br>
<br></div>Regards,<br><br></div>Will<br></div><div class="gmail_extra"><br><br><div \
class="gmail_quote"><div><div>On Mon, Oct 21, 2013 at 3:09 AM, Kevin Ross <span \
dir="ltr"><<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div><div><div dir="ltr"><div>Hi,<br><br></div><div>I \
have submitted 3 of these sigs before but never got any feedback. I have also created \
one more this morning based on a bit of digging into patterns as a test. They are \
reliable in generic exploit kit detections and so I think very useful for \
consideration.<br>
</div><div><br></div># These 3 signatures work extremely reliably in their True \
Positive Vs False Positive ratio.<br><div>alert http $EXTERNAL_NET any -> \
$HOME_NET any (msg:"ET INFO Java File Sent With X-Powered By HTTP Header - \
Common In Exploit Kits"; flow:established,to_client; \
content:"Content-Type|3A| application/java-archive"; http_header; \
fast_pattern:25,13; content:"X-Powered-By|3A| PHP/"; http_header; \
file_data; content:"PK"; within:2; classtype:bad-unknown; sid:165631; \
rev:1;)<br>
<br>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Executable \
File Sent With X-Powered By HTTP Header - Common In Exploit Kits"; \
flow:established,to_client; content:"X-Powered-By|3A| PHP/"; http_header; \
file_data; content:"MZ"; within:2; content:"PE|00 00|"; \
distance:0; classtype:bad-unknown; sid:165632; rev:1;)<br>
<br>alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Size \
Under 30K Size - Potentially Hostile"; flow:established,to_client; \
content:"Content-Type|3A| application/java-archive"; http_header; \
fast_pattern:26,12; content:"Content-Length|3A| "; http_header; \
content:"|0D 0A|"; http_header; distance:5; within:2; file_data; \
content:"PK"; within:2; \
pcre:"/Content\x2DLength\x3A\x20(1|2)\d{4}\x0D\x0A/H"; \
classtype:bad-unknown; sid:183992; rev:1;)<br>
<br></div><div># This is an experimental sig I am yet to test. However looking back \
over about 4 days of stuff where I do have plenty users that have Java stuff going on \
this seems rare that the URI should be .php?. In fact only incident of it in multiple \
days of traffic was the exploit kit.<br>
</div><div>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Java \
Request To PHP Site - Potential Java Exploit"; flow:established,to_server; \
content:".php?"; http_uri; content:"Java/"; http_header; \
pcre:"/User\x2DAgent\x3A\x20[^\r\n]*Java\x2F/H"; classtype:bad-unknown; \
sid:183993; rev:1;)<br>
<br></div><div>Kind Regards,<br>Kevin<br></div></div>
<br></div></div>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> The ONLY place to get complete \
premium rulesets for all versions of Suricata and Snort 2.4.0 through \
Current!<br></blockquote></div><br></div> </blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> The ONLY place to get complete \
premium rulesets for all versions of Suricata and Snort 2.4.0 through \
Current!<br></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreats.net The ONLY place to get complete premium rulesets for \
all versions of Suricata and Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic