Snort mailing list archives
The content pattern of Rule SID: 19713 can be improved
From: Ruowen Wang <rwang9 () ncsu edu>
Date: Sun, 28 Jul 2013 22:42:37 -0700
Dear All, I am doing a research to test Snort rules using Metasploit exploit scripts. I find that the content pattern of the rule sid:19713 might be inaccurate and can be improved. The rule is: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff"; nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2;) I find that in its content patterns "a.length..." and "a.reduce...", "a" is actually a JavaScript var name (more specifically, it is an Array object in this attack), which can be freely chosen by attacker. In addition, I find this rule cannot detect the Metasploit attack. The corresponding exploit is http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb If there is anyone who is familiar with this rule, please take a look, and correct me if I am wrong. Thank you very much! Have a nice day! Best Regards! Ruowen
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- The content pattern of Rule SID: 19713 can be improved Ruowen Wang (Jul 28)
- Re: The content pattern of Rule SID: 19713 can be improved Alex McDonnell (Jul 29)
- Re: The content pattern of Rule SID: 19713 can be improved Ruowen Wang (Jul 29)
- Re: The content pattern of Rule SID: 19713 can be improved Alex McDonnell (Jul 29)