Re: ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)

[Will Metcalf <william.metcalf () gmail com>]

And as a clarification depth fails for me relative to file_data in
2.9.0 as well. Anybody from SF able to verify this yet?  If for no
other reason than for your VRT subscribers?

#VRT rule directory
grep "file_data" *|wc -l
86

Regards,

Will

On Fri, Oct 22, 2010 at 1:23 PM, Will Metcalf <william.metcalf () gmail com> wrote:
> This is completely contradictory to what is in the snort users manual,
> so I wouldn't say usage isn't "neat" I would say it's usage is very
> clearly defined and apparently not adhered to. Joel?
>
> Regards,
>
> Will
>
> "3.5.24 file data
> This option is used to place the cursor (used to walk the packet
> payload in rules processing) at the beginning of either
> the entity body of a HTTP response or the SMTP body data. For this
> option to work with HTTP response, certain
> HTTP Inspect options such as extended response inspection and inspect
> gzip (for decompressed gzip data)
> needs to be turned on. See 2.2.6 for more details.
> When used with argument mime it places the cursor at the beginning of
> the base64 decoded MIME attachment or
> base64 decoded MIME body. This is dependent on the SMTP config option
> enable mime decoding. See 2.2.7 for
> more details.
> Format
> file_data;
> file_data:mime;
> This option matches if there is HTTP response body or SMTP body or
> SMTP MIME base64 decoded data. This
> option will operate similarly to the dce stub data option added with
> DCE/RPC2, in that it simply sets a reference
> for other relative rule options ( byte test, byte jump, pcre) to use.
> This file data can point to either a file or a block
> of data.
> ! NOTE
> Multiple base64 encoded attachments in one packet are pipelined.
>
> Example
> alert tcp any 80 -> any any(msg:"foo at the start of http response body"; \
> file_data; content:"foo"; nocase; within:3;)
> alert tcp any any -> any any(msg:"MIME BASE64 Encoded Data";\
> file_data:mime; content:"foo"; within:10;)
> "
>
> On Fri, Oct 22, 2010 at 1:04 PM, Pedro Marinho <pppmarinho () gmail com> wrote:
> > Will,
> >
> > i tested this and does work..
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> > (flow:established,to_client; file_data; content:"%PDF-"; depth:5;
> > classtype:bad-unknown;)
> >
> > i guess is possible to use depth with file_data. now i am confused.. the
> > snort manual is not neat about it's usage..
> >
> >
> > Message: 1
> > Date: Thu, 21 Oct 2010 22:20:51 -0500
> > From: Will Metcalf <william.metcalf () gmail com>
> > Subject: Re: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP
> >        404 XSS Attempt (External Source)
> > To: "Lay, James" <james.lay () wincofoods com>
> > Cc: "emerging-sigs () emergingthreats net"
> >        <Emerging-sigs () emergingthreats net>
> > Message-ID:
> >        <AANLkTinosDDspQtDjm4yPVD5RL5BEA8z0T4LgY+jf0Ay () mail gmail com>
> > Content-Type: text/plain; charset=ISO-8859-1
> >
> > And perhaps there is a bug in file_data ;-)....  Anyway I'm disabling
> > this sig by default.
> >
> > Regards,
> >
> > Will
> >
> > On Thu, Oct 21, 2010 at 5:06 PM, Will Metcalf <william.metcalf () gmail com>
> > wrote:
> > > Hmmm if somebody can send a ?pcap off list that would be awesome. ?I
> > > have tweaked the sig a bit as I believe the original intent was to
> > > identify xss in 4xx 5xx response bodies and the conversion was borked
> > > as file_data moves the inspection pointer similar to dce_stub_data so
> > > the depth check is from the beginning of the payload not from the
> > > start of file_data.
> > >
> > > Regards,
> > >
> > > Will
> > >
> > > On Thu, Oct 21, 2010 at 4:33 PM, Lay, James <james.lay () wincofoods com>
> > > wrote:
> > > > -----Original Message-----
> > > > From: emerging-sigs-bounces () emergingthreats net
> > > > [mailto:emerging-sigs-bounces () emergingthreats net] On Behalf Of Eoin
> > > > Miller
> > > > Sent: Thursday, October 21, 2010 3:20 PM
> > > > To: emerging-sigs () emergingthreats net
> > > > Subject: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404
> > > > XSS Attempt (External Source)
> > > >
> > > > I am not sure if I understand the point of this signature:
> > > >
> > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
> > > > Possible HTTP 404 XSS Attempt (External Source)";
> > > > flow:from_server,established; content:"404"; http_stat_code;
> > > > content:"Not Found"; nocase; http_stat_msg; file_data;
> > > > content:"<script"; nocase; depth:280; classtype:web-application-
> > >
> > > attack;
> > > > > reference:url,doc.emergingthreats.net/2010518;
> > > > >
> > > > > reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT
> > > > > /WEB_Error_XSS;
> > > > > sid:2010518; rev:5;)
> > > > >
> > > > >
> > > > > I'm in the same boat...hit and packet dump enclosed:
> > > > >
> > > > > 10/21-14:06:21.176785 ?[**] [1:2010518:5] ET WEB_CLIENT Possible HTTP
> > > > > 404 XSS Attempt (External Source) [**] [Classification: Web Application
> > > > > Attack] [Priority: 1] {TCP} 97.74.57.246:80 -> 66.193.105.132:28018
> > > > >
> > > > > 14:06:21.176785 IP 97.74.57.246.80 > 66.193.105.132.28018: Flags [P.],
> > > > > ack 4289524988, win 63784, length 233
> > > > > ? ? ? ?0x0000: ?4500 0111 5036 4000 3906 a92b 614a 39f6
> > > > > E...P6@.9..+aJ9.
> > > > > ? ? ? ?0x0010: ?42c1 6984 0050 6d72 3248 898d ffac f4fc
> > > > > B.i..Pmr2H......
> > > > > ? ? ? ?0x0020: ?5018 f928 bdcb 0000 4854 5450 2f31 2e31
> > > > > P..(....HTTP/1.1
> > > > > ? ? ? ?0x0030: ?2034 3034 204e 6f74 2046 6f75 6e64 0d0a
> > > > > .404.Not.Found..
> > > > > ? ? ? ?0x0040: ?4461 7465 3a20 5468 752c 2032 3120 4f63
> > > > > Date:.Thu,.21.Oc
> > > > > ? ? ? ?0x0050: ?7420 3230 3130 2032 303a 3036 3a32 3620
> > > > > t.2010.20:06:26.
> > > > > ? ? ? ?0x0060: ?474d 540d 0a53 6572 7665 723a 2041 7061
> > > > > GMT..Server:.Apa
> > > > > ? ? ? ?0x0070: ?6368 650d 0a4b 6565 702d 416c 6976 653a
> > > > > che..Keep-Alive:
> > > > > ? ? ? ?0x0080: ?2074 696d 656f 7574 3d31 352c 206d 6178
> > > > > .timeout=15,.max
> > > > > ? ? ? ?0x0090: ?3d34 380d 0a43 6f6e 6e65 6374 696f 6e3a
> > > > > =48..Connection:
> > > > > ? ? ? ?0x00a0: ?204b 6565 702d 416c 6976 650d 0a54 7261
> > > > > .Keep-Alive..Tra
> > > > > ? ? ? ?0x00b0: ?6e73 6665 722d 456e 636f 6469 6e67 3a20
> > > > > nsfer-Encoding:.
> > > > > ? ? ? ?0x00c0: ?6368 756e 6b65 640d 0a43 6f6e 7465 6e74
> > > > > chunked..Content
> > > > > ? ? ? ?0x00d0: ?2d54 7970 653a 2074 6578 742f 6874 6d6c
> > > > > -Type:.text/html
> > > > > ? ? ? ?0x00e0: ?3b20 6368 6172 7365 743d 7574 662d 380d
> > > > > ;.charset=utf-8.
> > > > > ? ? ? ?0x00f0: ?0a0d 0a31 3720 0d0a 3c68 313e 3430 3420
> > > > > ...17...<h1>404.
> > > > > ? ? ? ?0x0100: ?4e6f 7420 466f 756e 6421 3c2f 6831 3e0d
> > > > > Not.Found!</h1>.
> > > > > ? ? ? ?0x0110: ?0a ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Emerging-sigs mailing list
> > > > > Emerging-sigs () emergingthreats net
> > > > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > > > >
> > > > > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> > > > > Lanyards
> > > > >
> > > > > http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel