Snort mailing list archives
Re: New sig for detecting audit SVG Files contains JavaScript (possible Malicious)
From: Joshua Williams <joshuwi2 () sourcefire com>
Date: Wed, 25 Jan 2017 16:19:34 -0500
rmkml, Thanks for your submission. I'll review and test these and get back to you when they're finished. -- Josh Williams Detection Response Team TALOS Security Group On Wed, Jan 25, 2017 at 3:28 PM, rmkml <rmkml () ligfy org> wrote:
Hi, First, Thx ISC Sans for sharing recent Malicious SVG Files, Please check two new sigs for detecting audit SVG Files contains JavaScript (possible Malicious): First sig detect SVG files: -it's a first public version, another check is possible like Content-Type... -check if you don't have existing SVG flowbits on your ruleset... -enhance with regex for reduce possible FP... alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Svg flowbits noalert"; flow:to_server,established; content:".svg"; nocase; http_uri; flowbits:set,http.svgfound; flowbits:noalert; classtype:web-application-activity; sid:1; rev:1; ) Second sig detect audit : alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Svg contains possible JavaScript attempt"; flow:to_client,established; flowbits:isset,http.svgfound; file_data; content:"svg"; nocase; distance:0; content:"script"; nocase; distance:0; pcre:"/(?:\<|\%3c)svg\b.*?(?:\<|\%3c)script\b/si"; reference:url,isc.sans.edu/forums/diary/Malicious+SVG+ Files+in+the+Wild/21971/; classtype:attempted-user; sid:2; rev:1; ) Don't forget check variables. Please send any comments. Regards @Rmkml ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- New sig for detecting audit SVG Files contains JavaScript (possible Malicious) rmkml (Jan 25)
- Re: New sig for detecting audit SVG Files contains JavaScript (possible Malicious) Joshua Williams (Jan 25)