Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
1
Helpful
5
Replies

Gumblar Bot Net - IPS Signatures

solinal01
Level 1
Level 1

‎05-29-2009 09:49 AM - edited ‎03-10-2019 04:38 AM

According to Cisco's bulletin, they do not have any signatures recommended to stop the Gumblar Bot Net. However, a client of ours, uses IBM's Proventia and they currently have a list of signatures they recommend to block.

IBM: http://www.iss.net/threats/gumblar.html

Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=18286

Since I'm new to the IPS realm, I'm curious if I can basically set to block all of the PDF related remote execution/vulnerabilities and curious if this will help us in mitigating this attack.

Thanks for any guidance you may give.

Labels:
0 Helpful
5 Replies 5

yuliang13
Level 1
Level 1

‎05-31-2009 06:02 PM

perhaps you need to write a custom signature

solinal01
Level 1
Level 1
In response to yuliang13

‎06-01-2009 04:16 AM

Well considering I'm new to all of this, I guess that is not going to happen.

Thanks.

0 Helpful

clausonna
Level 3
Level 3
In response to solinal01

‎06-10-2009 11:42 AM

Ask, and ye shall receive:

Create a custom sig using the service-http engine. Set it for TCP and use the built-in WEBPORTS variable for common ports (although in the case you can probably do tcp/80.)

Specify the Argument Name Regex as:

((action=).*(&entity_list=).*(&uid=).*(&first=).*(&guid=).*(&rnd=).*)

Full disclosure: this is my first real attempt at using Regex in an IPS sig. I would assume there are better ways to write this regex; this is just what I came up with.

What the regex is saying is "match exactly on the string "action=" followed by any character (the '.') any number of times (the '*'), followed by the the string (&entity_list=) etc. They have to be in that exact order. In this version it has to be a case-sensitive match. It should really be broken down like: ([Aa][Cc][Tt][Ii][Oo][Nn][=]) but the malware isn't exhibiting that behavior yet, so...

You want to swap the attacker/victim setting to (i.e. even though its an internal host that's initiating the traffic, its really the destination that's the bad guy.)

For what its worth, I would think that the Cisco guys should be able to create this as a real sig for inclusion in their updates. If you guys are interested I can try converting more of the Emerging Threat (emergingthreats.net) sigs to be Cisco IPS sigs.

0 Helpful

solinal01
Level 1
Level 1
In response to clausonna

‎06-10-2009 11:47 AM

Sweet - thank you thank you thank you!!

Unfortunately, I cannot 'test' this, and since this would be my 'first' one, I would like to test before I place into production....our licenses are 'mixed up' for my lab ASA/IPS....as soon as that is ironed out - I will definitely attempt this!

Thank you again!

Lillian

0 Helpful

clausonna
Level 3
Level 3
In response to solinal01

‎06-10-2009 12:24 PM

Happy to help. I strongly recommend testing this sig first, since Regex is CPU intensive (and since, as I mentioned, I'm new to writing Regex sigs). You could remove some of the 'inside' Arg Names to simplify the regex (ie. get rid of the &first= or &guid= names)

I've already had a true positive hit on this sig, from a guest machine on my network. Here's the HTTP GET that the infected client issued:

GET /garret/controller.php?action=bot&entity_list=2351576910,1212183482,1232434&uid=1&first=0&guid=22439923423&rnd=9242 HTTP/1.1

Host: hott-rodd.cn

Going against destination IP 204.69.199.39.

Good luck.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card