Snort mailing list archives
Re: The content pattern of Rule SID: 19713 can be improved
From: Ruowen Wang <rwang9 () ncsu edu>
Date: Mon, 29 Jul 2013 08:41:48 -0700
Hi Alex, Thanks for pointing this out. Actually, I was previously checking an old snortrules-2922, which didn't contain the 24187, 24188 rules. I check the latest one snortrules-2946. I find that 24188 can cover Metasploit attack. It's good to know public exploits are covered by Snort rules. I also notice there is a specific rule file exploit-kit.rules focusing on exploit tool kits. That's great! Thanks again! Thank you very much! Have a nice day! ---- Looking forward to your reply Best Regards! Sincerely yours, *Ruowen Wang* **Graduate Student Department of Computer Science North Carolina State University E-mail: rwang9 () ncsu edu On Mon, Jul 29, 2013 at 7:06 AM, Alex McDonnell <amcdonnell () sourcefire com>wrote:
Hi Ruowen, If you search through the ruleset for the CVE 2011-2371 you will find that there are more rules that cover this vulnerability, on top of 19713 there is 19714, 24187 and 24188. Each of these rules covers different vectors and the should cover all public exploits. thanks, Alex McDonnell VRT On Mon, Jul 29, 2013 at 1:42 AM, Ruowen Wang <rwang9 () ncsu edu> wrote:Dear All, I am doing a research to test Snort rules using Metasploit exploit scripts. I find that the content pattern of the rule sid:19713 might be inaccurate and can be improved. The rule is: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff"; nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2;) I find that in its content patterns "a.length..." and "a.reduce...", "a" is actually a JavaScript var name (more specifically, it is an Array object in this attack), which can be freely chosen by attacker. In addition, I find this rule cannot detect the Metasploit attack. The corresponding exploit is http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb If there is anyone who is familiar with this rule, please take a look, and correct me if I am wrong. Thank you very much! Have a nice day! Best Regards! Ruowen ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- The content pattern of Rule SID: 19713 can be improved Ruowen Wang (Jul 28)
- Re: The content pattern of Rule SID: 19713 can be improved Alex McDonnell (Jul 29)
- Re: The content pattern of Rule SID: 19713 can be improved Ruowen Wang (Jul 29)
- Re: The content pattern of Rule SID: 19713 can be improved Alex McDonnell (Jul 29)