Snort mailing list archives
Re: Multiple signatures 010
From: Marcos Rodriguez via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 21 Aug 2018 10:48:17 -0400
On Mon, Aug 20, 2018 at 7:28 AM, Y M via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi, Pcaps are available for some of the signatures below. # -------------------- # Date: 2018-08-16 # Title: CVE-2018-15138 # Reference: # - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15138 # - https://www.exploit-db.com/exploits/45167/ # Tests: syntax only alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download?filename="; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:ruleset community, service http; reference:cve,2018-15138; reference:url, cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15138; classtype:web-application-attack; sid:8000258; rev:1;) # -------------------- # Date: 2018-08-16 # Title: CVE-2018-14417 # Reference: # - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14417 # - https://www.exploit-db.com/exploits/45097/ # Tests: syntax only alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP SoftNAS Cloud OS unauthenticated command injection attempt"; flow:to_server,established; content:"/softnas/snserver/snserv.php?"; fast_pattern:only; http_uri; content:"opcode="; http_uri; content:"&recentVersion="; http_uri; content:"|3B|"; within:50; content:"Referer"; http_header; reference:cve,2018-14417; reference:url, cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14417; classtype:attempted-admin; sid:8000259; rev:1;) # -------------------- # Date: 2018-08-16 # Title: PowerShell-weaponized documents with specific User-Agents # Tests: pcap # Reference: Research # - 6092a5e9860e0bac2c564412b123c06c5a34d359a7682b718bfd0473b9d20745 # - 629f2a5df32333dc62d74efa1810ee0389076f0767dbe886b53e02564258e139 # - 35e7d5b699fc0e764d961446e6d4cd9cfee35eae73a5948fb4121498ce136757 # Confidence: medium+ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Downloader.Valyria known malicious PowerShell user-agent string"; flow:to_server,established; content:"User-Agent|3A| USRUE-VNC"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000260; rev:1;) # -------------------- # Date: 2018-08-19 # Title: AZORult variant + Hermes 2.1 Rasonmware # Tests: pcap # Reference: Research # Droppers: # - 941fa514a76b8151976d00d96835c4d4dc237868e61cca01fa8be1c9f445 9171 # - a77ce243c5501e94850c25e2c4a1028021a8d12d5814958afe4fce86f31b 4e43 # - 5d5fef9da137ff5fed605d3929a33c5dcdde5d14aa75435e6a1e5bfdf0a9 6cdc # - f278a67664691d9f4e701155a90d39b0a3768b0f675024b18e7046c36a54 f081 # - 347afe983779b6657766e6260ae6bb12d70b7b6bc079aeee35c55a1c9d88 c3e6 # - 7c1a4b2ac3940c033e345f41780059b04a979ccb7246cf6e6614e798aed0 67b1 # - 05e3783379157ed6bdc936f306d14b23927b6f682273d37f490349990532 c305 # AZOrult: # - a7b8e4988e9da83ac55b4613bff4bccca62e208c2fed0c850ca024163b27 dc09 # Hermes: # - 2698c141c7fb2660fd009ce9c083022a531c28c8ae8258555027a2f7852d e13d # Confidence: medium+ # Notes: SID 8000194 (MALWARE-CNC Win.Trojan.GenKryptik) submitted earlier successfully # triggered on AZORult traffic. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AZORult variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.php"; nocase; http_uri; content:"MSIE 6.0"; nocase; http_header; content:"|2F FB|"; fast_pattern:only; http_client_body; metadata:ruleset community, service http; classtype:trojan-activity; sid:8000261; rev:1;) # -------------------- # Date: 2018-08-19 # Title: CVE-2018-8373 # Reference: # - https://ti.360.net/blog/articles/analyzing-attack-of- cve-2018-8373-and-darkhotel/ # - https://portal.msrc.microsoft.com/en-US/security-guidance/ advisory/CVE-2018-8373 # - https://blog.trendmicro.com/trendlabs-security- intelligence/use-after-free-uaf-vulnerability-cve-2018- 8373-in-vbscript-engine-affects-internet-explorer-to-run-shellcode/ # Tests: syntax only alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt"; flow:to_client,established; file_data; content:"class"; nocase; content:"Class_Initialize"; within:60; content:"ReDim"; nocase; content:"Preserve"; within:150; nocase; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2018-8373; reference:url,portal.msrc. microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373; classtype:attempted-admin; sid:8000262; rev:1;) # -------------------- # Date: 2018-08-19 # Title: New modular downloaders fingerprint systems, prepare for more - Part 1: Marap # Tests: pcap # Reference: # - https://www.proofpoint.com/us/threat-insight/post/new- modular-downloaders-fingerprint-systems-prepare-more-part-1-marap # - https://twitter.com/anyrun_app/status/1030515699410710528 : https://app.any.run/tasks/40bfffd2-8f8b-4e85-ab1a-212c803a459c alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marap outbound connection"; flow:to_server,established; urilen:8; content:"/dot.php"; fast_pattern:only; http_uri; content:"param="; depth:6; http_client_body; metadata:ruleset community, service http; reference:url,www.proofpoint.com/us/threat-insight/post/ new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap; classtype:trojan-activity; sid:8000263; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marap outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".enc HTTP/1.1"; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Content-Length: 0"; http_header; metadata:ruleset community, service http; reference:url,www.proofpoint.com/us/threat-insight/post/ new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap; classtype:trojan-activity; sid:8000264; rev:1;) # -------------------- # Date: 2018-08-19 # Title: KeyPass ransomware # Tests: pcap # Reference: # - https://securelist.com/keypass-ransomware/87412/ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.KeePass get encryption key outbound request"; flow:to_server,established; content:"GET /get.php HTTP/1.0"; fast_pattern:only; content:!"User-Agent"; http_header; metadata:ruleset community, service http; reference:url,securelist.com/ keypass-ransomware/87412/; classtype:trojan-activity; sid:8000265; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.KeePass receive encryption key inbound request"; flow:to_client,established; file_data; content:"|7B 22|line1|22|"; fast_pattern:only; content:"|22|line2|22|"; metadata:ruleset community, service http; reference:url,securelist.com/keypass-ransomware/87412/; classtype:trojan-activity; sid:8000266; rev:1;) Thanks. YM
Hi Yaser, Thanks for these submissions, we'll get these into our testing process and get back to you as soon as possible. We'd appreciate any pcaps you'd be willing to share. Thanks again! -- Marcos Rodriguez Cisco Talos
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Multiple signatures 010 Y M via Snort-sigs (Aug 20)
- Re: Multiple signatures 010 Marcos Rodriguez via Snort-sigs (Aug 21)