Re: Snort Alert[1:16482:8]

[waldo kitty <wkitty42 () windstream net>]

On 3/26/2013 11:44, Michael Steele wrote:
> Is it possible users could be spoofing their x browser to appear to be IE?

spoofing the UA would not trigger the rule in question...


/var/snort/rules/web-client.rules:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft 
Internet Explorer userdata behavior memory corruption attempt"; 
flow:to_client,established; content:"addBehavior|28|"; nocase; 
content:"|23|default|23|userData"; distance:0; nocase; 
content:"setAttribute|28|"; distance:0; nocase; 
pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi";
 
metadata:policy balanced-ips drop, policy security-ips drop, service http; 
reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; 
classtype:attempted-user; sid:16482; rev:6;)


granted, the above is version 6 of the rule but i doubt it has changed that much 
to be UA centric... the CVE and KB probably target the specific browsers in 
their writings...

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!