Home page logo
/

snort logo Snort mailing list archives

Re: Vbs rat threat rules
From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 28 Jan 2014 23:42:40 +0000

Hi,

That won't work in that port 1000 can't use HTTP keywords unless you add it
to your local $HTTP_PORTS variable in snort.conf. So your choice is either:

1) add port 1000 to the $HTTP_PORTS variable and change to this (I have
corrected the other rule options for your reference, mostly external_host,
no flow etc.
Alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"alert vbs rat";
flow:established,to_server; content:"some.website.net"; http_header;
fast_pattern:only; pcre:"/Host\x3A[^\r\n]*some\.website\.net/H";
classtype:trojan-activity; sid:123991; rev:1;)

2) Don't have it in your HTTP_PORTS and go like the rule below (although
personally I would have it being a destination port of any instead of 1000
which increases detection because I assume being a RAT they can change the
server listening port:
Alert tcp $HOME_NET any -> $EXTERNAL_NET 1000 (msg:"alert vbs rat";
flow:established,to_server; content:"some.website.net"; fast_pattern:only;
pcre:"/Host\x3A[^\r\n]*some\.website\.net/sm"; classtype:trojan-activity;
sid:123992; rev:1;)

Hope that helps you out on the idea behind this. Personally though if I was
you specific blacklist type things are not ideal for snort rules so I would
look at the structure of the command and control rather than where it is
going. If you are looking for sites I would recommend alongside snort
running passiveDNS https://github.com/gamelinux/passivedns which will
record your name/ip resolutions and then if you ever wonder if you have
been compromised you can query that and get a time for first and last
querying which can help out a lot - especially as databases of DNS traffic
can be retained for a long time.

I would also recommend you use BRO which very nicely complements Snort in
that you can log all that extra information like files, HTTP traffic, FTP,
IRC, SMTP etc. What you can then do is send it over to ELSA
http://code.google.com/p/enterprise-log-search-and-archive/. This is a
video of it https://www.youtube.com/watch?v=INRJZ3_Dsyc. You can also
extract files and do lots of other things with it (which you can do in the
latest Snort too). Still I think BRO & Snort work well and with ELSA it
allows you to query data quickly and form interesting queries to find
anomalous things.

Kind Regards,
Kevin Ross



On 28 January 2014 17:07, Feroz Basir <feroz.basir () gmail com> wrote:

Hi,

Thanks for replying. My packet go through a proxy and snort is between 2
proxies. I've just learned that this proxy might change or encapsulate the
packet. I'm trying to monitor vbs rat threat that making connection from
the inside to outside world via various port numbers and hostname. I have
the rule but it didn't work. So I thought vrt could have a special rule for
this.

Alert tcp $home_net any -> $external_host 1000 (msg:"alert vbs rat"
content:"Host|3A|"; nocase; http_header; content:"some.website.net";
nocase; http_header; fast_pattern:only; priority:1; Sid:1000002; rev:1;)

Thanks.


Regards,
Feroz Basir

On 28 Jan 2014, at 10:40, "Joel Esler (jesler)" <jesler () cisco com> wrote:

Perhaps the reason is, "vbs rat" isn't a specific attack, it's a generic
term.  We have lots of detection for Remote Access Tools, which* one* is
really the question.


 On Jan 27, 2014, at 7:49 PM, Feroz Basir <feroz.basir () gmail com> wrote:

 Hi again,

Anybody knows? Please help. Thanks.


Regards,
Feroz Fazidi Bin Basir

On 25 Jan 2014, at 19:34, Feroz Basir <feroz.basir () gmail com> wrote:

Hi all,

Anybody knows which rule that vrt uses for detecting VBS RAT threat? Im
sniffing proxy packet which I think change the packet.

Thanks.


Regards,
Feroz Basir



------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.

http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.

http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]