RE: More sid 1841 --experimental?

[twig les <twigles () yahoo com>]

I have this sig marked as experimental on a box that i don't
upgrade rulesets often (test box).  My production system does
not have this marked as experimental.


--- Matt Kettler <mkettler () evi-inc com> wrote:
> Yes, you are correct, the \n needs to be part of the exploit,
> however the 
> size of {url-here} is arbitrary. Snort is a simple pattern
> matcher, so it 
> has no way of stating "look for "javascript://" followed by a
> "\n" 
> somewhere before a quote character". Which is the only way of
> doing it 
> that's not subject to false positives.
>
> I suppose the code could make some bad assumptions and assume
> a domain is 
> no longer than 100 bytes, and look for a \n within 100 bytes
> of 
> javascript://. That's an improvement to the rule, but not a
> flawless fix, 
> as now an attacker can just insert padding to get around
> setting off the alert.
>
>
> As far as the "not experimental" statement, I find that
> interesting, what 
> version of snort do you have?
>
> In the latest non-experimental full-release version of snort,
> 1.9.0, it's 
> in the experimental.rules not the web-client.rules and the
> text message 
> starts with EXPERIMENTAL.
>
> If you are running some version of snort from the snapshots,
> then your 
> whole copy of snort is experimental.
>
>
>
>
> At 01:52 PM 2/21/2003 -0600, you wrote:
> > Thanks for the clarification, Matt.  Did I misunderstand the
> exploit?  I
> > *thought* it was the backslash at the end of the javascript
> call that
> > was causing the problem.  The exploit example has:
> > "javascript://{url-here}\n".  I didn't catch that the problem
> was the
> > two forward slashes at the beginning of the string.
> >
> > BTW, not to be picky, but this rule is *not* marked
> EXPERIMENTAL.  It's
> > in the web-client.rules file, and there's no indication that
> it is an
> > experimental rule.  Also, I'd take issue with your statement
> that it is
> > "an unusual, but safe, piece of javascript".  It's apparently
> pretty
> > common practice.  Just one site trips that rule enough times
> to make the
> > top fifteen source destinations for alerts, and *that* site I
> *know* is
> > not doing anything "evil".  That one rule accounts for 5% of
> the total
> > alerts in acid - some 15,253 alerts over 10 days.
> >
> > I guess I'll disable it.  :-(
> >
> > Paul Schmehl (pauls () utdallas edu)
> > Adjunct Information Security Officer
> > The University of Texas at Dallas
> > AVIEN Founding Member
> > http://www.utdallas.edu/~pauls/
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SlickEdit Inc. Develop an
> edge.
> The most comprehensive and flexible code editor you can use.
> Code faster. C/C++, C#, Java, HTML, XML, many more. FREE
> 30-Day Trial.
> www.slickedit.com/sourceforge
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users