[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    Re: [Emerging-Sigs] SIGS: Sweet Orange and Angler
From:       Kevin Ross <kevross33 () googlemail ! com>
Date:       2014-09-23 15:25:04
Message-ID: CAM_5znvH9X6hm5SH=3rUNSemms=0BTKBd4miu9wouXmRJxQjgQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/related)]

[Attachment #4 (multipart/alternative)]


That is fine as sig was a bit wrong. When I was analying it and I realised
both of the headers don't change I modified it but obviously not cleanly :)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers";
flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997
05|3A|00|3A|00 GMT"; http_header; *content:"Expires|3A|
content:"Last-Modified*|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT";
http_header; fast_pattern:15,20; classtype:trojan-activity;
reference:url,[image:
Inline images 1]www.malware-traffic-analysis.net/2014/09/22/index.html;
sid:193312; rev:1;)

On 23 September 2014 13:14, Darien Huss <dhuss@emergingthreats.net> wrote:

> Thanks Kevin,
>
> The first one is covered by 2019146. The second one is covered by ETPRO
> 2807913, so we will move that over to OPEN today.
>
> Regards,
> Darien
>
> On Tue, Sep 23, 2014 at 4:57 AM, Kevin Ross <kevross33@googlemail.com>
> wrote:
>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate";
>> flow:established,to_server; content:"/k?t="; http_uri; depth:5;
>> pcre:"/^\x2Fk\x3Ft\x3D\d{10}$/U"; classtype:trojan-activity; reference:url,
>> www.malware-traffic-analysis.net/2014/09/19/index.html; sid:193311;
>> rev:1;)
>>
>> # Seen this in many examples going back to at least Late May/June time so
>> looks pretty consistant.
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
>> CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers";
>> flow:established,to_client; content:"Expires|3A| Sat, 26 Jul 1997
>> 05|3A|00|3A|00 GMT"; http_header; content:"Expires|3A|
>> content:"Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT";
>> http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,
>> www.malware-traffic-analysis.net/2014/09/22/index.html; sid:193312;
>> rev:1;)
>>
>> Kind Regards,
>> kevin Ross
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs@lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>

[Attachment #7 (text/html)]

<div dir="ltr"><div>That is fine as sig was a bit wrong. When I was analying it and I \
realised both of the headers don&#39;t change I modified it but obviously not cleanly \
:)<br><br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET  \
CURRENT_EVENTS Angler Exploit Kit Fake HTTP Headers&quot;;  \
flow:established,to_client; content:&quot;Expires|3A| Sat, 26 Jul 1997  \
05|3A|00|3A|00 GMT&quot;; http_header; <u><b>content:&quot;Expires|3A|  \
content:&quot;Last-Modified</b></u>|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT&quot;;  \
http_header; fast_pattern:15,20; classtype:trojan-activity;  reference:url,<span \
style="padding-right:3px" id="secureBrowsingSpan"><img alt="Inline images 1" \
src="cid:ii_148a31d19a3ba70c" height="12" width="12"></span><a \
href="http://www.malware-traffic-analysis.net/2014/09/22/index.html" \
target="_blank">www.malware-traffic-analysis.net/2014/09/22/index.html</a>; \
sid:193312; rev:1;)<br></div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On 23 September 2014 13:14, Darien Huss <span dir="ltr">&lt;<a \
href="mailto:dhuss@emergingthreats.net" \
target="_blank">dhuss@emergingthreats.net</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>Thanks Kevin,<br><br>The first one is \
covered by 2019146. The second one is covered by ETPRO 2807913, so we will move that \
over to OPEN today.<br><br></div>Regards,<br>Darien<br></div><div \
class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Tue, Sep 23, \
2014 at 4:57 AM, Kevin Ross <span dir="ltr">&lt;<a \
href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>&gt;</span> \
wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div \
dir="ltr">alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET \
CURRENT_EVENTS Sweet Orange Exploit Kit Traffic Gate&quot;; \
flow:established,to_server; content:&quot;/k?t=&quot;; http_uri; depth:5; \
pcre:&quot;/^\x2Fk\x3Ft\x3D\d{10}$/U&quot;; classtype:trojan-activity; \
reference:url,<a href="http://www.malware-traffic-analysis.net/2014/09/19/index.html" \
target="_blank">www.malware-traffic-analysis.net/2014/09/19/index.html</a>; \
sid:193311; rev:1;)<br><br># Seen this in many examples going back to at least Late \
May/June time so looks pretty consistant. <br><div>alert tcp $EXTERNAL_NET \
$HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET CURRENT_EVENTS Angler Exploit Kit Fake \
HTTP Headers&quot;; flow:established,to_client; content:&quot;Expires|3A| Sat, 26 Jul \
1997 05|3A|00|3A|00 GMT&quot;; http_header; content:&quot;Expires|3A| \
content:&quot;Last-Modified|3A| Sat, 26 Jul 2040 05|3A|00|3A|00 GMT&quot;; \
http_header; fast_pattern:15,20; classtype:trojan-activity; reference:url,<a \
href="http://www.malware-traffic-analysis.net/2014/09/22/index.html" \
target="_blank">www.malware-traffic-analysis.net/2014/09/22/index.html</a>; \
sid:193312; rev:1;)<br><br>Kind Regards,<br>kevin Ross<br></div></div> \
<br></div></div>_______________________________________________<br> Emerging-sigs \
mailing list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
 <br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>

--e89a8ff243e1eda5770503bd2b8c--


["image.gif" (image/gif)]

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]