Well, during my stay at the SecTor conference I attended a couple of talks about malware to understand this subject better and it seems that malware IS DOING user agent detection, but it's made (at least for what I could see) using JavaScript code. This means that sending a different UA header won't make much difference in terms of what we see in the http response body
On Tue, Oct 8, 2013 at 9:21 AM, Andres Riancho <[email protected]> wrote: > Wayne, > > On Mon, Oct 7, 2013 at 10:20 PM, Wayne Dawson <[email protected]> > wrote: >> Hi Andres, emerging rules makes sense. >> >> I'm wondering, however (I'm not sure), if one needs to lie about Browser (IE >> 8?), OS (Windows), Plugins (java, adobe flash, >> adobe reader, etc) for some of the rules, like exploit kit rules, to >> trigger? Unless the exploit kit is point and shoot, but it sounds >> like they have browser and plugin detection scripts. Of course, the more >> generic rules would work (suspicious <ifframe> , for >> instance. However, picking IE 8, Windows XP user agent would likely get the >> most bang for one's buck. >> >> Just a thought... > > Well, that's interesting, never thought about that and it completely > makes sense. If I would be writing some web malware I would match the > UA before sending an exploit. At the same time it could be that a) > malware writers don't care and simply send the exploit to all visitors > b) they thought about this and said: "Well, UA detection is *hard* and > we might get it wrong, we better send the exploits to all visitors. If > the exploit doesn't work, nothing will happen on the client's side > anyways". > > Any ideas on resources where we could check how this works? > >>> On 6 Okt 2013, at 18.58, Andres Riancho <[email protected]> wrote: >>> >>> Maybe the focus should be moved away from the detection engines >>> (snort, suricata) and into the rules provider(s)? >>> >>> http://www.emergingthreats.net/open-source/ >>> >>>> On Sun, Oct 6, 2013 at 8:53 AM, Andres Riancho <[email protected]> >>>> wrote: >>>> Andri, >>>> >>>> Good question, actually I didn't even consider Suricata because I >>>> was unaware of it's existance :( So, after reading the suricata >>>> website for some minutes it seems that their rule format is *very >>>> similar* (the same?) as the one from snort, which could make things >>>> easier if we want to support both. >>>> >>>> When it comes to what we want to do, the only thing that matters >>>> is quality (re: false positives) and quantity of the rules to detect >>>> web malware. Do you know if there is a comparison between suricata >>>> and snort rulesets? >>>> >>>> Regards, >>>> >>>>> On Sat, Oct 5, 2013 at 11:37 PM, Andri Herumurti <[email protected]> >>>>> wrote: >>>>> Hi Andres, >>>>> >>>>> how if use Suricata than Snort ? >>>>> here is the comparison : >>>>> http://wiki.aanval.com/wiki/Snort_vs_Suricata >>>>> >>>>> Regards, >>>>> Andri >>>>> >>>>> >>>>> ________________________________ >>>>> From: Andres Riancho <[email protected]> >>>>> To: "[email protected]" >>>>> <[email protected]>; >>>>> "[email protected]" >>>>> <[email protected]> >>>>> Sent: Sunday, October 6, 2013 3:38 AM >>>>> Subject: [W3af-develop] Snort rules to detect malware >>>>> >>>>> Guys, >>>>> >>>>> We already have a clamav plugin that will identify if an http >>>>> response body (usually a PE, DLL, ELF, PDF, DOC etc.) contains a >>>>> virus or not. The other day I was thinking about how to improve this >>>>> and came up with the idea of using snort rules to detect malware [0] >>>>> >>>>> The idea is rather simple: >>>>> * Crawl the site (we already do that) >>>>> * Parse snort rules into regular expressions >>>>> * Create a grep plugin that will apply those regular >>>>> expressions to each HTTP response body >>>>> * If a match is found, then report it to the knowledge base >>>>> >>>>> What do you guys think about the idea? Anyone with snort >>>>> experience to weight in with some facts on how many false positives >>>>> are found by rules like these? Anyone knows about the licensing for >>>>> the rules? Can we include them into our repository? >>>>> >>>>> [0] https://github.com/andresriancho/w3af/issues/671 >>>>> >>>>> Regards, >>>>> -- >>>>> Andrés Riancho >>>>> Project Leader at w3af - http://w3af.org/ Web Application Attack and >>>>> Audit Framework >>>>> Twitter: @w3af >>>>> GPG: 0x93C344F3 >>>>> >>>>> -------------------------------------------------------------------- >>>>> ---------- October Webinars: Code for Performance Free Intel >>>>> webinars can help you accelerate application performance. >>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >>>>> most from the latest Intel processors and coprocessors. See >>>>> abstracts and register > >>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg >>>>> .clktrk _______________________________________________ >>>>> W3af-develop mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop >>>> >>>> >>>> >>>> -- >>>> Andrés Riancho >>>> Project Leader at w3af - http://w3af.org/ Web Application Attack and >>>> Audit Framework >>>> Twitter: @w3af >>>> GPG: 0x93C344F3 >>> >>> >>> >>> -- >>> Andrés Riancho >>> Project Leader at w3af - http://w3af.org/ Web Application Attack and >>> Audit Framework >>> Twitter: @w3af >>> GPG: 0x93C344F3 >> >> ------------------------------------------------------------------------------ >> October Webinars: Code for Performance >> Free Intel webinars can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most >> from the latest Intel processors and coprocessors. See abstracts and >> register > >> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk >> _______________________________________________ >> W3af-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/w3af-users > > > > -- > Andrés Riancho > Project Leader at w3af - http://w3af.org/ > Web Application Attack and Audit Framework > Twitter: @w3af > GPG: 0x93C344F3 -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
