Snort mailing list archives
Re: How much of a stream(javascript) is actually blocked on event?
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 28 Jan 2014 02:46:01 +0000
On Jan 27, 2014, at 7:47 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: On 1/27/2014 12:59 PM, Lil Evil wrote: Now, if I download the URL from a linux client with wget the javascript is being downloaded until the comment is reached and then it ll stop further downloading and hangs. However, a considerable amount of the javascript is already being downloaded until the comment section is reached. I do not know how much of this javascript is being executed, or any at all, but my expectation would be that the complete stream would be blocked. a block or alert can't be initiated until a match has been made ;) And Javascript can’t partially execute. All the code has to be there. But your display says that not all the code makes it, and the traffic is dropped. That being said, that rule is simply looking for a comment on a page. There are lots of these types of comments, not exactly sure what they are attributed to. However, theory is that they belong to a tool called “iFRAMER”. (Best resource I can give you is this: http://malware.dontneedcoffee.com/2013/09/cookie-bomb-iframer-way.html ) Sometimes the comments are removed when the iframe is cleaned up, sometimes they aren’t. -- Joel Esler Intelligence Lead Open Source Manager Vulnerability Research Team
------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How much of a stream(javascript) is actually blocked on event? Lil Evil (Jan 27)
- Re: How much of a stream(javascript) is actually blocked on event? waldo kitty (Jan 27)
- Re: How much of a stream(javascript) is actually blocked on event? Joel Esler (jesler) (Jan 27)
- Re: How much of a stream(javascript) is actually blocked on event? waldo kitty (Jan 27)