Home page logo
/

snort logo Snort mailing list archives

Re: question regarding distance 0 modifier
From: James Dickenson <jdickenson () gmail com>
Date: Fri, 18 Jul 2014 10:30:29 -0700

That answers my question perfectly, thanks for the help Joel!!


On Fri, Jul 18, 2014 at 6:53 AM, Joel Esler (jesler) <jesler () cisco com>
wrote:

 On Jul 17, 2014, at 7:56 PM, James Dickenson <jdickenson () gmail com>
wrote:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.MsUpdater variant outbound connection";
flow:to_server,established; content:"/search"; http_uri; content:"?h1=";
distance:0; http_uri; content:"&h2="; distance:0; http_uri; content:"&h3=";
distance:0; http_uri; content:"&h4="; distance:0;
http_uri; content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|";
http_header; pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service http; reference:url,
www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/; 
classtype:trojan-activity;
sid:21240; rev:7;)


Let me display our rule like this, might make it easier:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( \

        msg:"MALWARE-CNC Win.Trojan.MsUpdater variant outbound
connection"; \
        flow:to_server,established; \
        content:"/search"; http_uri; \
        content:"?h1="; distance:0; http_uri; \    # This means that the
h1 match must take place *after* the “/search match in the previous line.
 No restrictions on where, just after.
        content:"&h2="; distance:0; http_uri; \    # This means that the
h2 match must take place *after the *“h1” match in the previous line.  No
restrictions on where, just after.
        content:"&h3="; distance:0; http_uri; \    # This means that the
h3 match must take place *after* the “h2” match in the previous line.  No
restrictions on where, just after.
        content:"&h4="; distance:0; http_uri; \    # This means that the
h4 match must take place *after *the “h3” match in the previous line.  No
restrictions on where, just after.

        content:"User-Agent|3A 20|Mozilla|2F|5.0|20|(compatible|3B|";
http_header; \
        pcre:"/\x28compatible\x3b[A-Z]*\x3b\x29\x0d\x0a/H"; \

 #the two above matches are in the “http_header” buffer (completely
different buffer, so no distance matches there)

        metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; \
reference:url,
www.virustotal.com/file/6a237ffe0f7d84ffd9652662a2638a9b5212636b414ce15ea2e39204d2a24e7f/analysis/;
\
        classtype:trojan-activity; \
)


 You’ll notice all the “h{1-4}” matches are in the http_uri buffer.  So
you can perform relative checks on the matches in the same buffer.

 Does that help?

 --
*Joel Esler*
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]