Friday, January 26, 2007

From Russia, With Malice

And I'd like to cap my week with something useful. It's a pair of simple Snort rules that will detect a packed executable downloaded via HTTP, which these days is nearly always some IE-sploited downloader.

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL Packed Executable Download via HTTP 1"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4c|"; distance:10; classtype:trojan-activity; sid:9000090; rev:3;)

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"LOCAL Packed Executable Download via HTTP 2"; flow:from_server,established; content:"|4D 5A 50|"; content:"|50 45 00 00 4c|"; distance:250; classtype:trojan-activity; sid:9000091; rev:1;)

*Note: The gianormous sid values are from the range that I use internally at work. It's otherwise meaningless.

Edited 1/30: Fixed false positive issue w/ GMail cookies

No comments:

Post a Comment