Snort mailing list archives
SIG: Script before DOCTYPE
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 21 Jun 2012 13:27:42 -0600
All, Not sure if this is a good sig or not: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE script before DOCTYPE possible malicious redirect"; flow:to_client,established; file_data; content:"</script><!DOCTYPE"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:xxxxxxx; rev:1;) Many times that I've seen malicious JavaScript injected it's usually right at the top: HTTP/1.1 200 OK Date: Mon, 18 Jun 2012 17:29:21 GMT Server: Apache X-Powered-By: PHP/5.2.17 Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/; domain=www.glasstilestore.com; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/; domain=www.glasstilestore.com; httponly Vary: Accept-Encoding,User-Agent X-UA-Compatible: IE=8 Keep-Alive: timeout=3, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 dd13 <script src='http://httpjs.com/api' type='text/javascript'></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <!-- Google Website Optimizer Control Script --> <script> I welcome any pointers or reasons this sig stinks...danke J James
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SIG: Script before DOCTYPE Lay, James (Jun 21)
- Re: SIG: Script before DOCTYPE Alex Kirk (Jun 21)
- Re: SIG: Script before DOCTYPE Lay, James (Jun 21)
- Re: SIG: Script before DOCTYPE Alex Kirk (Jun 21)