Encrypted Storm Traffic

A nice fun twist in the Storm worm story. They're encrypting
the edonkey
traffic now. Current sigs won't hit on these particular
variants.

I've made up some new ones. these are relying on packet size
and
frequency. The search by md5 and ack packets are constant
length,
encrypted or not.

Please test there and let me know how they go, especially if
they work!

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET
1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic
Outbound -
Likely Search by md5"; dsize:25; threshold:
type:threshold, count 40,
seconds 60, track by_src; classtype:trojan-activity;
sid:2007634; re
v:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET
1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic
Inbound - Likely
Connect Ack"; dsize:2; threshold: type:threshold, count
10, seconds 60,
track by_dst; classtype:trojan-activity; sid:2007635;
rev:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET
1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic
Inbound - Likely
Search by md5"; dsize:25; threshold: type:threshold,
count 40, seconds
60, track by_dst; classtype:trojan-activity; sid:2007636;
rev:1;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET
1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic
Outbound -
Likely Connect Ack"; dsize:2; threshold:
type:threshold, count 10,
seconds 60, track by_src; classtype:trojan-activity;
sid:2007637; rev:1;)

Matt

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

Thanks! Do you have any PCAPs?

-Anne 

-----Original Message-----
From: bleeding-sigs-bouncesbleedingthreats.net
[mailto:bleeding-sigs-bouncesbleedingthreats.net] On
Behalf Of Matt
Jonkman
Sent: Monday, October 15, 2007 4:45 AM
To: Bleeding Sigs
Subject: [Bleeding-sigs] Encrypted Storm Traffic

A nice fun twist in the Storm worm story. They're encrypting
the edonkey
traffic now. Current sigs won't hit on these particular
variants.

I've made up some new ones. these are relying on packet size
and
frequency. The search by md5 and ack packets are constant
length,
encrypted or not.

Please test there and let me know how they go, especially if
they work!

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET
1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic
Outbound -
Likely Search by md5"; dsize:25; threshold:
type:threshold, count 40,
seconds 60, track by_src; classtype:trojan-activity;
sid:2007634; re
v:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET
1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic
Inbound - Likely
Connect Ack"; dsize:2; threshold: type:threshold, count
10, seconds 60,
track by_dst; classtype:trojan-activity; sid:2007635;
rev:1;) alert udp
$EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
(msg:"BLEEDING-EDGE
TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search
by md5";
dsize:25; threshold: type:threshold, count 40, seconds 60,
track by_dst;
classtype:trojan-activity; sid:2007636; rev:1;) alert udp
$HOME_NET
1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm
Worm Encrypted Traffic Outbound - Likely Connect Ack";
dsize:2;
threshold: type:threshold, count 10, seconds 60, track
by_src;
classtype:trojan-activity; sid:2007637; rev:1;)

Matt

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

I have one sample, but the pcap is pretty polluted as I
tried a bunch of
things to get it to activate. Turned out the sample went
live after a
reboot only.

Let me see about getting more through and I'll share those.
if you do
want the polluted one hit me off list.

Matt

Henmi, Anne wrote:
> Thanks! Do you have any PCAPs?
> 
> -Anne 
> 
> -----Original Message-----
> From: bleeding-sigs-bouncesbleedingthreats.net
> [mailto:bleeding-sigs-bouncesbleedingthreats.net] On
Behalf Of Matt
> Jonkman
> Sent: Monday, October 15, 2007 4:45 AM
> To: Bleeding Sigs
> Subject: [Bleeding-sigs] Encrypted Storm Traffic
> 
> A nice fun twist in the Storm worm story. They're
encrypting the edonkey
> traffic now. Current sigs won't hit on these particular
variants.
> 
> I've made up some new ones. these are relying on packet
size and
> frequency. The search by md5 and ack packets are
constant length,
> encrypted or not.
> 
> Please test there and let me know how they go,
especially if they work!
> 
> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET
1024:65535
> (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted
Traffic Outbound -
> Likely Search by md5"; dsize:25; threshold:
type:threshold, count 40,
> seconds 60, track by_src; classtype:trojan-activity;
sid:2007634; re
> v:1;)
> alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET
1024:65535
> (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted
Traffic Inbound - Likely
> Connect Ack"; dsize:2; threshold: type:threshold,
count 10, seconds 60,
> track by_dst; classtype:trojan-activity; sid:2007635;
rev:1;) alert udp
> $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
(msg:"BLEEDING-EDGE
> TROJAN Storm Worm Encrypted Traffic Inbound - Likely
Search by md5";
> dsize:25; threshold: type:threshold, count 40, seconds
60, track by_dst;
> classtype:trojan-activity; sid:2007636; rev:1;) alert
udp $HOME_NET
> 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm
> Worm Encrypted Traffic Outbound - Likely Connect
Ack"; dsize:2;
> threshold: type:threshold, count 10, seconds 60, track
by_src;
> classtype:trojan-activity; sid:2007637; rev:1;)
> 
> Matt
> 
> --
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> US Phone 765-429-0398
> US Fax 312-264-0205
> AUS Phone 61-42-4157-491
> AUS Fax 61-29-4750-026
> http://www.bleedingthr
eats.net
> --------------------------------------------
> 
> PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

If you do send out any PCAPs, please make sure the traffic
is sanitized.

Thanks.

-Anne

-----Original Message-----
From: bleeding-sigs-bouncesbleedingthreats.net on
behalf of Matt Jonkman
Sent: Mon 10/15/2007 5:48 PM
To: Bleeding Sigs
Subject: Re: [Bleeding-sigs] Encrypted Storm Traffic
 
I have one sample, but the pcap is pretty polluted as I
tried a bunch of
things to get it to activate. Turned out the sample went
live after a
reboot only.

Let me see about getting more through and I'll share those.
if you do
want the polluted one hit me off list.

Matt

Henmi, Anne wrote:
> Thanks! Do you have any PCAPs?
> 
> -Anne 
> 
> -----Original Message-----
> From: bleeding-sigs-bouncesbleedingthreats.net
> [mailto:bleeding-sigs-bouncesbleedingthreats.net] On
Behalf Of Matt
> Jonkman
> Sent: Monday, October 15, 2007 4:45 AM
> To: Bleeding Sigs
> Subject: [Bleeding-sigs] Encrypted Storm Traffic
> 
> A nice fun twist in the Storm worm story. They're
encrypting the edonkey
> traffic now. Current sigs won't hit on these particular
variants.
> 
> I've made up some new ones. these are relying on packet
size and
> frequency. The search by md5 and ack packets are
constant length,
> encrypted or not.
> 
> Please test there and let me know how they go,
especially if they work!
> 
> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET
1024:65535
> (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted
Traffic Outbound -
> Likely Search by md5"; dsize:25; threshold:
type:threshold, count 40,
> seconds 60, track by_src; classtype:trojan-activity;
sid:2007634; re
> v:1;)
> alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET
1024:65535
> (msg:"BLEEDING-EDGE TROJAN Storm Worm Encrypted
Traffic Inbound - Likely
> Connect Ack"; dsize:2; threshold: type:threshold,
count 10, seconds 60,
> track by_dst; classtype:trojan-activity; sid:2007635;
rev:1;) alert udp
> $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
(msg:"BLEEDING-EDGE
> TROJAN Storm Worm Encrypted Traffic Inbound - Likely
Search by md5";
> dsize:25; threshold: type:threshold, count 40, seconds
60, track by_dst;
> classtype:trojan-activity; sid:2007636; rev:1;) alert
udp $HOME_NET
> 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm
> Worm Encrypted Traffic Outbound - Likely Connect
Ack"; dsize:2;
> threshold: type:threshold, count 10, seconds 60, track
by_src;
> classtype:trojan-activity; sid:2007637; rev:1;)
> 
> Matt
> 
> --
> --------------------------------------------
> Matthew Jonkman
> Bleeding Edge Threats
> US Phone 765-429-0398
> US Fax 312-264-0205
> AUS Phone 61-42-4157-491
> AUS Fax 61-29-4750-026
> http://www.bleedingthr
eats.net
> --------------------------------------------
> 
> PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
> 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs



_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs

Hi, all,

Is anyone seeing false-positives with these rules?  Does
eDonkey
traffic trigger them?

Thanks,
Erik

On 10/15/07, Henmi, Anne <ahenmisecurify.com> wrote:
>
>
>
> Both if you can.  Lots of
traffic is better to give you more feedback in
> testing.
>
>  -Anne
>
>
>  -----Original Message-----
>  From: bleeding-sigs-bouncesbleedingthreats.net on
behalf
> of Matt Jonkman
>  Sent: Mon 10/15/2007 5:48 PM
>  To: Bleeding Sigs
>  Subject: Re: [Bleeding-sigs] Encrypted Storm Traffic
>
>  I have one sample, but the pcap is pretty polluted as
I tried a bunch of
>  things to get it to activate. Turned out the sample
went live after a
>  reboot only.
>
>  Let me see about getting more through and I'll share
those. if you do
>  want the polluted one hit me off list.
>
>  Matt
>
>  Henmi, Anne wrote:
>  > Thanks! Do you have any PCAPs?
>  >
>  > -Anne
>  >
>  > -----Original Message-----
>  > From: bleeding-sigs-bouncesbleedingthreats.net
>  > [mailto:bleeding-sigs-bouncesbleedingthreats.net] On
> Behalf Of Matt
>  > Jonkman
>  > Sent: Monday, October 15, 2007 4:45 AM
>  > To: Bleeding Sigs
>  > Subject: [Bleeding-sigs] Encrypted Storm Traffic
>  >
>  > A nice fun twist in the Storm worm story. They're
encrypting the edonkey
>  > traffic now. Current sigs won't hit on these
particular variants.
>  >
>  > I've made up some new ones. these are relying on
packet size and
>  > frequency. The search by md5 and ack packets are
constant length,
>  > encrypted or not.
>  >
>  > Please test there and let me know how they go,
especially if they work!
>  >
>  > alert udp $HOME_NET 1024:65535 ->
$EXTERNAL_NET 1024:65535
>  > (msg:"BLEEDING-EDGE TROJAN Storm Worm
Encrypted Traffic Outbound -
>  > Likely Search by md5"; dsize:25; threshold:
type:threshold, count 40,
>  > seconds 60, track by_src;
classtype:trojan-activity; sid:2007634; re
>  > v:1;)
>  > alert udp $EXTERNAL_NET 1024:65535 ->
$HOME_NET 1024:65535
>  > (msg:"BLEEDING-EDGE TROJAN Storm Worm
Encrypted Traffic Inbound - Likely
>  > Connect Ack"; dsize:2; threshold:
type:threshold, count 10, seconds 60,
>  > track by_dst; classtype:trojan-activity;
sid:2007635; rev:1;) alert udp
>  > $EXTERNAL_NET 1024:65535 -> $HOME_NET
1024:65535 (msg:"BLEEDING-EDGE
>  > TROJAN Storm Worm Encrypted Traffic Inbound -
Likely Search by md5";
>  > dsize:25; threshold: type:threshold, count 40,
seconds 60, track by_dst;
>  > classtype:trojan-activity; sid:2007636; rev:1;)
alert udp $HOME_NET
>  > 1024:65535 -> $EXTERNAL_NET 1024:65535
(msg:"BLEEDING-EDGE TROJAN Storm
>  > Worm Encrypted Traffic Outbound - Likely Connect
Ack"; dsize:2;
>  > threshold: type:threshold, count 10, seconds 60,
track by_src;
>  > classtype:trojan-activity; sid:2007637; rev:1;)
>  >
>  > Matt
>  >
>  > --
>  > --------------------------------------------
>  > Matthew Jonkman
>  > Bleeding Edge Threats
>  > US Phone 765-429-0398
>  > US Fax 312-264-0205
>  > AUS Phone 61-42-4157-491
>  > AUS Fax 61-29-4750-026
>  > http://www.bleedingthr
eats.net
>  > --------------------------------------------
>  >
>  > PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
>  >
>  >
>  > _______________________________________________
>  > Bleeding-sigs mailing list
>  > Bleeding-sigsbleedingthreats.net
>  >
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>  > _______________________________________________
>  > Bleeding-sigs mailing list
>  > Bleeding-sigsbleedingthreats.net
>  >
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
>  --
>  --------------------------------------------
>  Matthew Jonkman
>  Bleeding Edge Threats
>  US Phone 765-429-0398
>  US Fax 312-264-0205
>  AUS Phone 61-42-4157-491
>  AUS Fax 61-29-4750-026
>  http://www.bleedingthr
eats.net
>  --------------------------------------------
>
>  PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
>
>
>  _______________________________________________
>  Bleeding-sigs mailing list
>  Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
>
>
>
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
>
>
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs