And I'd like to cap my week with something useful. It's a pair of simple Snort rules that will detect a packed executable downloaded via HTTP, which these days is nearly always some IE-sploited downloader.
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL Packed Executable Download via HTTP 1"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4c|"; distance:10; classtype:trojan-activity; sid:9000090; rev:3;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL Packed Executable Download via HTTP 2"; flow:from_server,established; content:"|4D 5A 50|"; content:"|50 45 00 00 4c|"; distance:250; classtype:trojan-activity; sid:9000091; rev:1;)
*Note: The gianormous sid values are from the range that I use internally at work. It's otherwise meaningless.
Edited 1/30: Fixed false positive issue w/ GMail cookies
No comments:
Post a Comment