[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Question on 26287
From: Joel Esler <jesler () sourcefire ! com>
Date: 2013-04-03 1:33:46
Message-ID: 559954F2-418A-482D-8826-464B628AA413 () sourcefire ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Btw-- since that rule was a community rule, it's already been shipped in the \
community set updated.
--
Joel Esler
Sent from my iPhone
On Apr 2, 2013, at 7:23 PM, James Lay <jlay@slave-tothe-box.net> wrote:
>
> On Apr 2, 2013, at 4:47 PM, Joel Esler <jesler@sourcefire.com> wrote:
>
> > On Apr 2, 2013, at 4:16 PM, James Lay <jlay@slave-tothe-box.net> wrote:
> >
> > > Hey all.
> > >
> > > Here's the rule:
> > >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> > > Ortega Rootkit outbound connection - search.namequery.com";
> > > flow:to_server,established; content:" search.namequery.com|0D 0A|";
> > > fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9;
> > > offset:15; metadata:impact_flag red, policy balanced-ips drop, policy
> > > security-ips drop, ruleset community, service http;
> > > reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; \
> > > classtype:trojan-activity; sid:26287; rev:1;)
> > >
> > > Any additional info on this? You didn't hear this from me, but this
> > > fires on Fujitsu Q550 running Windows 7 Professional x86 out of the box
> > > > )
> >
> >
> > Here is that rule now (It hasn't been shipped yet)
> >
> > # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute \
> > Software Computrace outbound connection - search.namequery.com"; \
> > flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; \
> > fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy \
> > security-ips drop, ruleset community, service http; \
> > reference:url,www.absolute.com/en/products/absolute-computrace; \
> > reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; \
> > classtype:trojan-activity; sid:26287; rev:3;)
> > This is computrace's "laptop lo-jack" software. I've moved it from MALWARE-CNC \
> > to APP-DETECT, changed the message and took it out of the balanced policy.
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
>
>
> Awesome…thanks Joel.
>
> James
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #5 (text/html)]
<html><head><meta http-equiv="content-type" content="text/html; \
charset=utf-8"></head><body dir="auto"><div>Btw-- since that rule was a \
community rule, it's already been shipped in the community set updated. \
</div><div><br><div>--</div><div><b>Joel Esler</b></div>Sent from my \
iPhone <span style="background-color: rgba(255, 255, 255, \
0);"></span></div><div><br>On Apr 2, 2013, at 7:23 PM, James Lay <<a \
href="mailto:jlay@slave-tothe-box.net">jlay@slave-tothe-box.net</a>> \
wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" \
content="text/html charset=windows-1252"><br><div><div>On Apr 2, 2013, at 4:47 PM, \
Joel Esler <<a href="mailto:jesler@sourcefire.com">jesler@sourcefire.com</a>> \
wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta \
http-equiv="Content-Type" content="text/html charset=us-ascii"><div style="word-wrap: \
break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; \
"><div><div>On Apr 2, 2013, at 4:16 PM, James Lay <<a \
href="mailto:jlay@slave-tothe-box.net">jlay@slave-tothe-box.net</a>> \
wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">Hey \
all.</span><br style="font-family: Helvetica; font-size: medium; font-style: normal; \
font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: \
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; \
white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><br style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">Here's the \
rule:</span><br style="font-family: Helvetica; font-size: medium; font-style: normal; \
font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: \
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; \
white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><br style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">alert tcp \
$HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC<span \
class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; \
font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">Ortega \
Rootkit outbound connection -<span \
class="Apple-converted-space"> </span></span><a \
href="http://search.namequery.com/" style="font-family: Helvetica; font-size: medium; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; \
">search.namequery.com</a><span style="font-family: Helvetica; font-size: medium; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">";<span \
class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; \
font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; \
">flow:to_server,established; content:"<span \
class="Apple-converted-space"> </span></span><a \
href="http://search.namequery.com/" style="font-family: Helvetica; font-size: medium; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; \
">search.namequery.com</a><span style="font-family: Helvetica; font-size: medium; \
font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: \
normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; \
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; \
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">|0D 0A|";<span \
class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; \
font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; \
">fast_pattern:only; http_header; content:"|0D 0A|TagId: "; depth:9;<span \
class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; \
font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">offset:15; \
metadata:impact_flag red, policy balanced-ips drop, policy<span \
class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; \
font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; \
">security-ips drop, ruleset community, service http;<span \
class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; \
font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; \
">reference:url,</span><a \
href="http://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf" \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; \
">www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf</a><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; ">;<span \
class="Apple-converted-space"> </span></span><br style="font-family: Helvetica; \
font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><span \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; display: inline !important; float: none; \
">classtype:trojan-activity; sid:26287; rev:1;)</span><br style="font-family: \
Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: \
normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: \
-webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; \
word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; \
"><br style="font-family: Helvetica; font-size: medium; font-style: normal; \
font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: \
normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; \
white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><span style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">Any additional info on this? You didn't hear this \
from me, but this<span class="Apple-converted-space"> </span></span><br \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><span style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">fires on Fujitsu Q550 running Windows 7 Professional x86 \
out of the box<span class="Apple-converted-space"> </span></span><br \
style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: \
normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; \
text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: \
normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px; "><span style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline \
!important; float: none; ">:)</span><br style="font-family: Helvetica; font-size: \
medium; font-style: normal; font-variant: normal; font-weight: normal; \
letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; \
text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: \
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic