|
Written by Matt Jonkman
|
|
Thursday, 10 April 2008 |
|
As you may know, Cyber-ta (http://www.cyber-ta.org ) is one of the projects we're working very closely with to bring some new tools and research to the Emerging Threats and Snort community. They've just released a new information source called MTC, Malware Threat Center. There's a press release here with much more detail: http://www.marketwire.com/mw/release.do?id=842518 And of course the actual MTC is available here: http://mtc.sri.com The project has only begun, so if you see new ideas or data that could benefit the community pleaselet them know, or let us know and we can pass on the information. Matt |
|
Last Updated ( Thursday, 10 April 2008 )
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 09 April 2008 |
Some great intelligence from Joe Stewart at Secureworks . Seems that the Bobax spam has some very unique and sig'able message-id fields.
If you block on these you ought to reduce the load on your spam filtering systems significantly. Load ought to be manageable even though it's pcre.
In the first one Bobax has a consistently long and setup message-id. It also uses a lower case d in Id, where the norm is all upper.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; classtype:misc-activity; sid:2008121; rev:1;)
Here we have a predictable string in the message id, and the same lowercase d. The trailing info is usually a domain name.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; classtype:misc-activity; sid:2008122; rev:1;)
These will change over time of course, but they'll be good for a while. Please let me know how these fare! Be sure to pull sigs from the repository and not here, changes may not be reflected here in the future.
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 09 April 2008 |
|
The guys at Openpacket.org are finally out of development and have released a working project. This has been in the works for a while, and is a VERY much needed service for the security and networking community. The basic idea is us in the community submit pcaps to openpacket, they archive and index them. Why would this be useful? I'll tell ya. How many times have you gone to write a signature about some protocol but weren't sure what "normal" traffic on that port looks like? Normally we'd then go somewhere to find that protocol in use, get pcaps, wait, grab the wrong stream, try again, finally get a sample pcap. Well, now you can just go there, search for stuff, downlaod and go. If you have a pcap that was useful to you you can add it to the archive. From the Emerging Threats persepctive, we're going to try hard to put pcaps of exploits up on openpacket.org and use those as references from documentation about rules. That'll help us go back in time and figure out what the heck we were thinkign when we wrote a rule. Anyway, congratulations to Richard and the guys at Openpacket. They've been working hard to get this online. Here's a reference to the announcement: http://taosecurity.blogspot.com/2008/04/openpacketorg-10-is-live.html And the site itself is http://www.openpacket.org |
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 9 - 12 of 48 |
