Snort mailing list archives
Re: More sid 1841
From: Michael Boman <michael.boman () securecirt com>
Date: Sat, 22 Feb 2003 22:59:20 +0800
On Fri, Feb 21, 2003 at 03:27:10PM -0500, Matt Kettler wrote:
Yes, you are correct, the \n needs to be part of the exploit, however the size of {url-here} is arbitrary. Snort is a simple pattern matcher, so it has no way of stating "look for "javascript://" followed by a "\n" somewhere before a quote character". Which is the only way of doing it that's not subject to false positives. I suppose the code could make some bad assumptions and assume a domain is no longer than 100 bytes, and look for a \n within 100 bytes of javascript://. That's an improvement to the rule, but not a flawless fix, as now an attacker can just insert padding to get around setting off the alert.
According to RFC 1034 and 1035 the hostname can be a maximum of 255 bytes, so just make sure the '\n' are within 255 bytes from the end of 'javascript://'. Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
Attachment:
_bin
Description:
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)