Home page logo

snort logo Snort mailing list archives

Proposed Sirefef (was Re: Late in the day...bet this could be sig'd)
From: "lists () packetmail net" <lists () packetmail net>
Date: Fri, 3 May 2013 19:54:54 -0500

On 05/03/2013 05:57 PM, James Lay wrote:



Here's my go at it, I'm using Emerging-Threats[1] style/nomenclature not because
it's what's "right" but simply because it's what I'm acclimated to.  Please no
flamewar for cross-posting.  Gratuitous hex to avoid line-wrap.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS/VRT_COMMUNITY Potential Sirefef hostile executable served from
compromised or malicious WordPress site"; flow:established,from_server;
content:"/wp-content/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only;
pcre:"/\/\d+\.exe$/U"; classtype:trojan-activity;
sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS/VRT_COMMUNITY Sirefef Fake Opera 10 User-Agent";
flow:established,to_server; content:"Opera/10|20|"; http_header;
fast_pattern:only; content:!"Accept"; http_header; classtype:trojan-activity;
reference:url,dev.opera.com/articles/view/opera-ua-string-changes; sid:x; rev:1;)

Been a long day, flame me accordingly if this ends up being garbage sigs.  Best
wishes to all, thanks James for your keen eye (as always).

[1] http://www.emergingthreats.net/open-source/open-source-overview/


Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]