According to Cisco's bulletin, they do not have any signatures recommended to stop the Gumblar Bot Net. However, a client of ours, uses IBM's Proventia and they currently have a list of signatures they recommend to block.
Full disclosure: this is my first real attempt at using Regex in an IPS sig. I would assume there are better ways to write this regex; this is just what I came up with.
What the regex is saying is "match exactly on the string "action=" followed by any character (the '.') any number of times (the '*'), followed by the the string (&entity_list=) etc. They have to be in that exact order. In this version it has to be a case-sensitive match. It should really be broken down like: ([Aa][Cc][Tt][Ii][Oo][Nn][=]) but the malware isn't exhibiting that behavior yet, so...
You want to swap the attacker/victim setting to (i.e. even though its an internal host that's initiating the traffic, its really the destination that's the bad guy.)
For what its worth, I would think that the Cisco guys should be able to create this as a real sig for inclusion in their updates. If you guys are interested I can try converting more of the Emerging Threat (emergingthreats.net) sigs to be Cisco IPS sigs.
Unfortunately, I cannot 'test' this, and since this would be my 'first' one, I would like to test before I place into production....our licenses are 'mixed up' for my lab ASA/IPS....as soon as that is ironed out - I will definitely attempt this!
Happy to help. I strongly recommend testing this sig first, since Regex is CPU intensive (and since, as I mentioned, I'm new to writing Regex sigs). You could remove some of the 'inside' Arg Names to simplify the regex (ie. get rid of the &first= or &guid= names)
I've already had a true positive hit on this sig, from a guest machine on my network. Here's the HTTP GET that the infected client issued:
GET /garret/controller.php?action=bot&entity_list=2351576910,1212183482,1232434&uid=1&first=0&guid=22439923423&rnd=9242 HTTP/1.1
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :