Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Improvement to rule 1:26528

From: Tony Robinson <deusexmachina667 () gmail com>
Date: Wed, 28 May 2014 09:19:41 -0400
Hello,

I'd like to propose an improvement to rule 1:26528
INDICATOR-OBFUSCATION eval of base64-encoded data.

In spite of the many ways it can trigger false positives, it's proven
to be valuable for finding compromised websites all over the place.
I'd like to propose a slight improvement that may help the accuracy a
little more. Here is the rule in its original form:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION eval of base64-encoded data";
flow:to_client,established; file_data;
content:"eval|28|base64.decode|28|"; fast_pattern:only;
metadata:service ftp-data, service http, service imap, service pop3;
classtype:trojan-activity; sid:26568; rev:3; )

Here is the rule with the slight modifications I would like considered:

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION eval of base64-encoded data";
flow:to_client,established; file_data;
content:"eval|28|base64.decode|28|"; fast_pattern:only;
content:!"|22|J01PQklMRSc|3D 22 29 29 3B|"; distance: 0; within: 17;
metadata:service ftp-data, service http, service imap, service pop3;
classtype:trojan-activity; sid:26568; rev:3; )

Specifically, I recommend adding the following after the first content match:

content:!"|22|J01PQklMRSc|3D 22 29 29 3B|"; distance: 0; within: 17;

This tells snort to NOT look for the content -- "J01PQklMRSc="));
immediately after the content match.

I've been seeing alerts for this particular content match on a lot of
mobile websites:

Parameters.SiteType = eval(Base64.decode("J01PQklMRSc="));

This base 64 encoding decodes to the text 'MOBILE'. This content isn't
particularly malicious, in fact, aside from being absolutely
pointless, it's not insidious in the least and I'm seeing it more and
more on mobile sites.

Let me know what you think.

Cheers,

da_667




-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: