Snort mailing list archives
Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 10 Aug 2010 15:52:02 -0500
if you have a normalized buffer why as a rule writer you should be able to di something like what Eoin is trying to do.
wow... what a horrible sentence... I meant... If you have a normalized buffer as a rule writer you should be able to do something like what Eoin is trying to do. On Tue, Aug 10, 2010 at 3:49 PM, Will Metcalf <william.metcalf () gmail com> wrote:
ehhh be careful... this only works for http_uri and http_client_body all other http_* modifiers using distance/within fails silently.... always... at least in my testing. Which makes me wonder why snort doesn't reject those rules during parsing as they will never match. Joel? Also did you test these because as of 2.8.5.3 (yes I know, I know) this would only work if you did.... content:"id="; http_client_body; content:"%26jp"; distance:32; classtype:bad-unknown; sid:5600099; rev:2;) leaving off the second http_client_body modifier. Otherwise it appears the behavior is to always in this case distance would start from the beginning of the normalized buffer i.e. behaves like offset. The same trick works for http_uri but if the uri has to be decoded/normalized in anyway it will always fail. This is really annoying to me btw. if you have a normalized buffer why as a rule writer you should be able to di something like what Eoin is trying to do. For things where within/distance don't really make much of a difference I can understand read uricontent, but for things like http headers etc where you fingerprint things like a unique user-agent using within/distance and can avoid pcre why not allow this instead of assuming that the user "really meant" dept/offset. just my 0.02 Regards, Will On Tue, Aug 10, 2010 at 2:57 PM, Eoin Miller <eoin.miller () trojanedbinaries com> wrote:These are better versions that should have a much lower FP rate, why I didn't use the distance keyword last time? Because I am an idiot: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO Exploit Kit - request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"%26np"; distance:32; http_client_body; classtype:bad-unknown; sid:5600099; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO Exploit Kit - request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"%26j"; distance:32; http_client_body; classtype:bad-unknown; sid:5600100; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO Exploit Kit - request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"%26jp"; distance:32; http_client_body; classtype:bad-unknown; sid:5600101; rev:2;) -- Eoin _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 10)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Matt Watchinski (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Will Metcalf (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Alex Kirk (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Eoin Miller (Aug 11)
- Re: [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2 Matt Watchinski (Aug 11)