Snort mailing list archives

Multiple signatures 010

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 20 Aug 2018 11:28:28 +0000

Hi,

Pcaps are available for some of the signatures below.

# --------------------
# Date: 2018-08-16
# Title: CVE-2018-15138
# Reference:
#    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15138
#    - https://www.exploit-db.com/exploits/45167/
# Tests: syntax only

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal 
attempt"; flow:to_server,established; content:"/ipecs-cm/download?filename="; fast_pattern:only; http_uri; 
content:"../"; http_uri; metadata:ruleset community, service http; reference:cve,2018-15138; 
reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15138; classtype:web-application-attack; sid:8000258; 
rev:1;)

# --------------------
# Date: 2018-08-16
# Title: CVE-2018-14417
# Reference:
#    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14417
#    - https://www.exploit-db.com/exploits/45097/
# Tests: syntax only

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SoftNAS Cloud OS unauthenticated command injection 
attempt"; flow:to_server,established; content:"/softnas/snserver/snserv.php?"; fast_pattern:only; http_uri; 
content:"opcode="; http_uri; content:"&recentVersion="; http_uri; content:"|3B|"; within:50; content:"Referer"; 
http_header; reference:cve,2018-14417; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14417; 
classtype:attempted-admin; sid:8000259; rev:1;)

# --------------------
# Date: 2018-08-16
# Title: PowerShell-weaponized documents with specific User-Agents
# Tests: pcap
# Reference: Research
#    - 6092a5e9860e0bac2c564412b123c06c5a34d359a7682b718bfd0473b9d20745
#    - 629f2a5df32333dc62d74efa1810ee0389076f0767dbe886b53e02564258e139
#    - 35e7d5b699fc0e764d961446e6d4cd9cfee35eae73a5948fb4121498ce136757
# Confidence: medium+

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Downloader.Valyria known malicious 
PowerShell user-agent string"; flow:to_server,established; content:"User-Agent|3A| USRUE-VNC"; fast_pattern:only; 
http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000260; rev:1;)

# --------------------
# Date: 2018-08-19
# Title: AZORult variant + Hermes 2.1 Rasonmware
# Tests: pcap
# Reference: Research
#    Droppers:
#        - 941fa514a76b8151976d00d96835c4d4dc237868e61cca01fa8be1c9f4459171
#        - a77ce243c5501e94850c25e2c4a1028021a8d12d5814958afe4fce86f31b4e43
#        - 5d5fef9da137ff5fed605d3929a33c5dcdde5d14aa75435e6a1e5bfdf0a96cdc
#        - f278a67664691d9f4e701155a90d39b0a3768b0f675024b18e7046c36a54f081
#        - 347afe983779b6657766e6260ae6bb12d70b7b6bc079aeee35c55a1c9d88c3e6
#        - 7c1a4b2ac3940c033e345f41780059b04a979ccb7246cf6e6614e798aed067b1
#        - 05e3783379157ed6bdc936f306d14b23927b6f682273d37f490349990532c305
#    AZOrult:
#        - a7b8e4988e9da83ac55b4613bff4bccca62e208c2fed0c850ca024163b27dc09
#    Hermes:
#        - 2698c141c7fb2660fd009ce9c083022a531c28c8ae8258555027a2f7852de13d
# Confidence: medium+
# Notes: SID 8000194 (MALWARE-CNC Win.Trojan.GenKryptik) submitted earlier successfully
#        triggered on AZORult traffic.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AZORult variant outbound connection"; 
flow:to_server,established; urilen:10; content:"/index.php"; nocase; http_uri; content:"MSIE 6.0"; nocase; http_header; 
content:"|2F FB|"; fast_pattern:only; http_client_body; metadata:ruleset community, service http; 
classtype:trojan-activity; sid:8000261; rev:1;)

# --------------------
# Date: 2018-08-19
# Title: CVE-2018-8373
# Reference:
#    - https://ti.360.net/blog/articles/analyzing-attack-of-cve-2018-8373-and-darkhotel/
#    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373
#    - 
https://blog.trendmicro.com/trendlabs-security-intelligence/use-after-free-uaf-vulnerability-cve-2018-8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/
# Tests: syntax only

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote 
code execution attempt"; flow:to_client,established; file_data; content:"class"; nocase; content:"Class_Initialize"; 
within:60; content:"ReDim"; nocase; content:"Preserve"; within:150; nocase; metadata:ruleset community, service 
ftp-data, service http, service imap, service pop3; reference:cve,2018-8373; 
reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-admin; 
sid:8000262; rev:1;)

# --------------------
# Date: 2018-08-19
# Title: New modular downloaders fingerprint systems, prepare for more - Part 1: Marap
# Tests: pcap
# Reference:
#    - 
https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap
#    - https://twitter.com/anyrun_app/status/1030515699410710528 : 
https://app.any.run/tasks/40bfffd2-8f8b-4e85-ab1a-212c803a459c

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marap outbound connection"; 
flow:to_server,established; urilen:8; content:"/dot.php"; fast_pattern:only; http_uri; content:"param="; depth:6; 
http_client_body; metadata:ruleset community, service http; 
reference:url,www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap;
 classtype:trojan-activity; sid:8000263; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marap outbound connection"; 
flow:to_server,established; content:"POST"; http_method; content:".enc HTTP/1.1"; content:"Content-Type: 
application/x-www-form-urlencoded"; http_header; content:"Content-Length: 0"; http_header; metadata:ruleset community, 
service http; 
reference:url,www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap;
 classtype:trojan-activity; sid:8000264; rev:1;)

# --------------------
# Date: 2018-08-19
# Title: KeyPass ransomware
# Tests: pcap
# Reference:
#    - https://securelist.com/keypass-ransomware/87412/

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.KeePass get encryption key 
outbound request"; flow:to_server,established; content:"GET /get.php HTTP/1.0"; fast_pattern:only; 
content:!"User-Agent"; http_header; metadata:ruleset community, service http; 
reference:url,securelist.com/keypass-ransomware/87412/; classtype:trojan-activity; sid:8000265; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.KeePass receive encryption key 
inbound request"; flow:to_client,established; file_data; content:"|7B 22|line1|22|"; fast_pattern:only; 
content:"|22|line2|22|"; metadata:ruleset community, service http; 
reference:url,securelist.com/keypass-ransomware/87412/; classtype:trojan-activity; sid:8000266; rev:1;)

Thanks.
YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Multiple signatures 010 Y M via Snort-sigs (Aug 20)
- Re: Multiple signatures 010 Marcos Rodriguez via Snort-sigs (Aug 21)