Snort mailing list archives
RE: More sid 1841 --experimental?
From: twig les <twigles () yahoo com>
Date: Fri, 21 Feb 2003 12:39:48 -0800 (PST)
I have this sig marked as experimental on a box that i don't upgrade rulesets often (test box). My production system does not have this marked as experimental. --- Matt Kettler <mkettler () evi-inc com> wrote:
Yes, you are correct, the \n needs to be part of the exploit, however the size of {url-here} is arbitrary. Snort is a simple pattern matcher, so it has no way of stating "look for "javascript://" followed by a "\n" somewhere before a quote character". Which is the only way of doing it that's not subject to false positives. I suppose the code could make some bad assumptions and assume a domain is no longer than 100 bytes, and look for a \n within 100 bytes of javascript://. That's an improvement to the rule, but not a flawless fix, as now an attacker can just insert padding to get around setting off the alert. As far as the "not experimental" statement, I find that interesting, what version of snort do you have? In the latest non-experimental full-release version of snort, 1.9.0, it's in the experimental.rules not the web-client.rules and the text message starts with EXPERIMENTAL. If you are running some version of snort from the snapshots, then your whole copy of snort is experimental. At 01:52 PM 2/21/2003 -0600, you wrote:Thanks for the clarification, Matt. Did I misunderstand theexploit? I*thought* it was the backslash at the end of the javascriptcall thatwas causing the problem. The exploit example has: "javascript://{url-here}\n". I didn't catch that the problemwas thetwo forward slashes at the beginning of the string. BTW, not to be picky, but this rule is *not* markedEXPERIMENTAL. It'sin the web-client.rules file, and there's no indication thatit is anexperimental rule. Also, I'd take issue with your statementthat it is"an unusual, but safe, piece of javascript". It's apparentlyprettycommon practice. Just one site trips that rule enough timesto make thetop fifteen source destinations for alerts, and *that* site I*know* isnot doing anything "evil". That one rule accounts for 5% ofthe totalalerts in acid - some 15,253 alerts over 10 days. I guess I'll disable it. :-( Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Know yourself and know your enemy and you will never fear defeat. ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)