[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] Asprox Beacons
From: Darien Huss <dhuss () emergingthreats ! net>
Date: 2015-04-16 22:06:08
Message-ID: CAKcCgkVZPjug1V8n8TNdyYQwscNh1fgsfxwMPneL2OBTa2D+7Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks pckthck, we'll take a look at these for tomorrow!
Regards,
Darien
On Thu, Apr 16, 2015 at 2:33 PM, Packet Hack <pckthck@gmail.com> wrote:
> Seeing these in conjunction with the Rerdom/Asprox
> beacon (2019760).
>
> Packet:
>
> HEAD / HTTP/1.0
> User-Agent: Wget/1.11.4
> Accept: */*
> Host: ya.ru
> Connection: Keep-Alive
>
> Rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Possible Asprox/Rerdom Beacon"; content:"HEAD"; http_method;
> content:"HEAD / HTTP/1.0|0d 0a|User-Agent|3a| Wget/1.11.4|0d
> 0a|Accept|3a| */*|0d 0a|Host|3a| ya.ru|0d 0a|Connection|3a|
> Keep-Alive|0d 0a 0d 0a|"; fast_pattern; classtype:trojan-activity;
> sid:9100931; rev:1)
>
> Packet:
>
> XX.XX.XX.XX:XXXX -> 5.152.215.2:808
> XX.XX.XX.XX:XXXX -> 95.211.185.149:808
>
> GET / HTTP/1.1
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)
> AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/35.0.1916.153 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Connection: Keep-Alive
> Accept-Encoding: gzip
> Accept-Language: en-US,*
> Host: 95.211.185.149:808
>
> Rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET [81:8079,8081:65535] (msg:"ET
> TROJAN Possible Asprox/Rerdom Beacon (2)"; content:"GET "; depth:4;
> pcre:"/\AGET \/ HTTP\/1\.1\r\nUser-Agent\x3a .*?\r\nAccept\x3a
> .*?\r\nConnection\x3a .*?\r\nAccept-Encoding\x3a
> .*?\r\nAccept-Language\x3a .*\r\nHost\x3a .*?\r\n\r\n/";
> classtype:trojan-activity; sid:9100932; rev:1)
>
> Not sure if I can use the /H modifier to the pcre since these
> appear to be on non-standard ports and therefore won't use
> the http preproc. Since Host: is the last line, maybe just limit
> it to "Host\x3a .*?\r\n\r\n" ?
>
> Anyway, feel free to tidy as necessary.
>
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Thanks pckthck, we'll take a look at these for \
tomorrow!<br><br></div>Regards,<br></div>Darien<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 16, 2015 at 2:33 PM, \
Packet Hack <span dir="ltr"><<a href="mailto:pckthck@gmail.com" \
target="_blank">pckthck@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Seeing these in conjunction with the Rerdom/Asprox<br> beacon \
(2019760).<br> <br>
Packet:<br>
<br>
HEAD / HTTP/1.0<br>
User-Agent: Wget/1.11.4<br>
Accept: */*<br>
Host: <a href="http://ya.ru" target="_blank">ya.ru</a><br>
Connection: Keep-Alive<br>
<br>
Rule:<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN<br>
Possible Asprox/Rerdom Beacon"; content:"HEAD"; http_method;<br>
content:"HEAD / HTTP/1.0|0d 0a|User-Agent|3a| Wget/1.11.4|0d<br>
0a|Accept|3a| */*|0d 0a|Host|3a| <a href="http://ya.ru" target="_blank">ya.ru</a>|0d \
0a|Connection|3a|<br> Keep-Alive|0d 0a 0d 0a|"; fast_pattern; \
classtype:trojan-activity;<br> sid:9100931; rev:1)<br>
<br>
Packet:<br>
<br>
XX.XX.XX.XX:XXXX -> <a href="http://5.152.215.2:808" \
target="_blank">5.152.215.2:808</a><br> XX.XX.XX.XX:XXXX -> <a \
href="http://95.211.185.149:808" target="_blank">95.211.185.149:808</a><br> <br>
GET / HTTP/1.1<br>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)<br>
AppleWebKit/537.36 (KHTML, like Gecko)<br>
Chrome/35.0.1916.153 Safari/537.36<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>
Connection: Keep-Alive<br>
Accept-Encoding: gzip<br>
Accept-Language: en-US,*<br>
Host: <a href="http://95.211.185.149:808" \
target="_blank">95.211.185.149:808</a><br> <br>
Rule:<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET [81:8079,8081:65535] (msg:"ET<br>
TROJAN Possible Asprox/Rerdom Beacon (2)"; content:"GET "; \
depth:4;<br> pcre:"/\AGET \/ HTTP\/1\.1\r\nUser-Agent\x3a .*?\r\nAccept\x3a<br>
.*?\r\nConnection\x3a .*?\r\nAccept-Encoding\x3a<br>
.*?\r\nAccept-Language\x3a .*\r\nHost\x3a .*?\r\n\r\n/";<br>
classtype:trojan-activity; sid:9100932; rev:1)<br>
<br>
Not sure if I can use the /H modifier to the pcre since these<br>
appear to be on non-standard ports and therefore won't use<br>
the http preproc. Since Host: is the last line, maybe just limit<br>
it to "Host\x3a .*?\r\n\r\n" ?<br>
<br>
Anyway, feel free to tidy as necessary.<br>
<br>
-- pckthck<br>
_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
</blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic