snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] Snort-sigs Digest, Vol 57, Issue 17

Re: [Snort-sigs] Snort-sigs Digest, Vol 57, Issue 17

From: Anthony Camilo <acamilo_at_nospam>
Date: Thu Feb 10 2011 - 23:25:14 GMT
To: "snort-sigs@lists.sourceforge.net" <snort-sigs@lists.sourceforge.net>

Regards,

Anthony Camilo
(Sent while on the go)

"snort-sigs-request@lists.sourceforge.net" <snort-sigs-request@lists.sourceforge.net> wrote:

Send Snort-sigs mailing list submissions to
        snort-sigs@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request@lists.sourceforge.net

You can reach the person managing the list at
        snort-sigs-owner@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."

Today's Topics:

   1. Re: Coverage for the "Night Dragon" Trojan (Matthew Jonkman)
   2. Re: Coverage for the "Night Dragon" Trojan (Mike Cox)

----------------------------------------------------------------------

Message: 1
Date: Thu, 10 Feb 2011 15:39:14 -0500
From: Matthew Jonkman <jonkman@emergingthreatspro.com>
Subject: Re: [Snort-sigs] Coverage for the "Night Dragon" Trojan
To: Matt Olney <molney@sourcefire.com>
Cc: "snort-sigs@lists.sourceforge.net"
        <snort-sigs@lists.sourceforge.net>
Message-ID:
        <BCC1DA85-2A95-4E6E-9DFD-8E89689CBCF4@emergingthreatspro.com>
Content-Type: text/plain; charset="us-ascii"

Thanks Matt! You're right, the one version we have isn't good, but the second version does fit the traffic, so it'll fire.

Appreciate the tweak, new version out shortly.

Matt

On Feb 10, 2011, at 3:27 PM, Matt Olney wrote:

> Hey ET folks who are here...
>
> If you guys could pass on this information:
>
> The rules provided won't fire on Night Dragon C&C traffic.. The offset:66 is calculated from the beginning of the Layer 2 portion of the packet. The data portion (what Snort looks at) starts at offset 54. The correct offset for the rule should be 12. Also, you probably want to add a depth: qualifier of 3 bytes so you don't false positive further down the packet.
>
> Don't normally check in on you guys, but this was important enough to check.
>
> Matt
>
> On Thu, Feb 10, 2011 at 2:47 PM, evilghost@packetmail.net <evilghost@packetmail.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/10/11 13:41, Joel Esler wrote:
> > Registered users will have the normal 30 day wait.
>
> Joel, I think this is ok to post here...
>
> Those who are looking for coverage who are not VRT subscribers they're in
> Emerging-Threats (http://www.emergingthreats.net).
>
> There's an ongoing discussion here regarding several signatures which have been
> proposed for inclusion, see
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
>
> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
> simple/normal community participant there.
>
> - --
> It has been said that "hate" is a powerful emotion, perhaps that's why I'm so
> strong.
>
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
> 1sA7AJfGJLvnEdRHpwbi
> =3lHv
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org

----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

Message: 2
Date: Thu, 10 Feb 2011 15:01:51 -0600
From: Mike Cox <mike.cox52@gmail.com>
Subject: Re: [Snort-sigs] Coverage for the "Night Dragon" Trojan
To: Matt Olney <molney@sourcefire.com>
Cc: "snort-sigs@lists.sourceforge.net"
        <snort-sigs@lists.sourceforge.net>,
        "emerging-sigs@emergingthreats.net"
        <Emerging-sigs@emergingthreats.net>
Message-ID:
        <AANLkTimDHNLNZrfahLtaXoCqUO64K4WOfMe6iOZLSKxE@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Hmmm ... this sounds like the sig I proposed to Emerging Threats this
morning but got no feedback on.

Sourcefire, please let me know where to send the bill.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|";
offset:12; depth:4; http_body;
pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P";
classtype:trojan-activity;
reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf;
sid:2011213456;)

-Mike Cox

On Thu, Feb 10, 2011 at 2:27 PM, Matt Olney <molney@sourcefire.com> wrote:
> Hey ET folks who are here...
> If you guys could pass on this information:
> The rules provided won't fire on?Night?Dragon C&C traffic.. ?The offset:66
> is calculated from the?beginning?of the Layer 2 portion of the packet. ?The
> data portion (what Snort looks at) starts at offset 54. ?The correct offset
> for the rule should be 12. ?Also, you probably want to add a depth:
> qualifier of 3 bytes so you don't false positive further down the packet.
> Don't normally check in on you guys, but this was important enough to check.
>
> Matt
> On Thu, Feb 10, 2011 at 2:47 PM, evilghost@packetmail.net
> <evilghost@packetmail.net> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 02/10/11 13:41, Joel Esler wrote:
>> > Registered users will have the normal 30 day wait.
>>
>> Joel, I think this is ok to post here...
>>
>> Those who are looking for coverage who are not VRT subscribers they're in
>> Emerging-Threats (http://www.emergingthreats.net).
>>
>> There's an ongoing discussion here regarding several signatures which have
>> been
>> proposed for inclusion, see
>>
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
>>
>> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
>> simple/normal community participant there.
>>
>> - --
>> It has been said that "hate" is a powerful emotion, perhaps that's why I'm
>> so
>> strong.
>>
>> - -evilghost
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
>> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
>> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
>> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
>> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
>> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
>> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
>> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
>> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
>> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
>> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
>> 1sA7AJfGJLvnEdRHpwbi
>> =3lHv
>> -----END PGP SIGNATURE-----
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>

------------------------------

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

End of Snort-sigs Digest, Vol 57, Issue 17
******************************************

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org