https://live.paloaltonetworks.com/t5/automation-api-discussions/need-assistance-with-custom-signature-for-shamoon/m-p/41265#M961 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">We are alerting on Shamoon on our IDS systems, but we want to write a custom signature for the PANs.&nbsp; Shamoon has two signatures for snort:</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">alert tcp $HOME_NET any -&gt; any $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DistTrack command and control traffic"; flow:to_server,established; content:"/ajax_modal/modal/data.asp"; nocase; http_uri; content:"&amp;state="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http;reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23893; rev:4; )</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">alert tcp $HOME_NET any -&gt; any $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; content:"User-Agent|3A| you|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; )</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">I am trying to figure a way to take these and turn it to a custom signature on the PANs but seem not to be able to find the appropriate documentation to block outbound web traffic that would match the signature.</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">Any suggestions would be very helpful.</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">David<BR /></SPAN></P></BODY></HTML> Sat, 27 Oct 2012 20:15:48 GMT dgilliam 2012-10-27T20:15:48Z https://live.paloaltonetworks.com/t5/automation-api-discussions/need-assistance-with-custom-signature-for-shamoon/m-p/41265#M961 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">We are alerting on Shamoon on our IDS systems, but we want to write a custom signature for the PANs.&nbsp; Shamoon has two signatures for snort:</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">alert tcp $HOME_NET any -&gt; any $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DistTrack command and control traffic"; flow:to_server,established; content:"/ajax_modal/modal/data.asp"; nocase; http_uri; content:"&amp;state="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http;reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23893; rev:4; )</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">alert tcp $HOME_NET any -&gt; any $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - you"; flow:to_server,established; content:"User-Agent|3A| you|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory-W32-DistTrack.pdf; classtype:trojan-activity; sid:23903; rev:2; )</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">I am trying to figure a way to take these and turn it to a custom signature on the PANs but seem not to be able to find the appropriate documentation to block outbound web traffic that would match the signature.</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">Any suggestions would be very helpful.</SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;"><BR /></SPAN></P><P><SPAN style="font-size: 10.5pt; font-family: 'Calibri','sans-serif'; color: black;">David<BR /></SPAN></P></BODY></HTML> Sat, 27 Oct 2012 20:15:48 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/need-assistance-with-custom-signature-for-shamoon/m-p/41265#M961 dgilliam 2012-10-27T20:15:48Z https://live.paloaltonetworks.com/t5/automation-api-discussions/need-assistance-with-custom-signature-for-shamoon/m-p/41266#M962 <HTML><HEAD></HEAD><BODY><P>Hi David,</P><P></P><P>I would suggest the following:</P><P></P><P>Signature 1: Match "/ajax_modal/modal/data.asp" in http-req-uri-path, and "&amp;state=" in http-req-params</P><P>Signature 2: Match "User-Agent\x3A\x you \x0D 0A\x" in http-req-headers.</P></BODY></HTML> Tue, 30 Oct 2012 00:31:53 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/need-assistance-with-custom-signature-for-shamoon/m-p/41266#M962 tettema 2012-10-30T00:31:53Z