Snort mailing list archives
FP on WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Fri, 2 Mar 2012 08:07:57 +0530
Hi I get these alerts triggered when I visit citi bank website. *Rule* web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt"; flow:to_client,established; content:"<script"; nocase; content:"javascript"; distance:0; nocase; content:"location="; distance:0; nocase; pcre:"/javascript.+function\s+(\w+)\s*\(\w*\)\s*\{.+location=[^}]+\1.+\}/sim"; metadata:policy security-ips drop; reference:bugtraq,16687; reference:cve,2006-0753; classtype:attempted-dos; sid:17487; rev:4;) *Tracing the PCRE* I am trying to trace the PCRE I got upto here javascript.+function\s+(\w+)\s*\(\w*\)\s*\{.+location=[^}]+\1.+\} Which matches the line "javascript function login (){var st='toolbar=0,location=0, javascript function login ()}" However I cannot apply that complete scenario in this case as I cannot see the second Javascript. ID <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=sig_a> Signature ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=sig_d> <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=time_a> Timestamp ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=time_d> <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=sip_a> Source Address
<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=sip_d>
<<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=dip_a> Dest. Address ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=dip_d> <<http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=proto_a> Layer 4 Proto ><http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=3¤t_view=0&sort_order=proto_d> #0-(5-50119)<http://bodhidarmar/base/base_qry_alert.php?submit=%230-%285-50119%29&sort_order=> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0753>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2006-0753> ] [bugtraq <http://www.securityfocus.com/bid/16687>] [snort<http://www.snort.org/search/sid/1-17487> ] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt 2012-03-02 06:10:17 192.193.97.23<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.193.97.23&netmask=32> :80 192.168.56.1<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32> :47028 TCP #1-(5-50118)<http://bodhidarmar/base/base_qry_alert.php?submit=%231-%285-50118%29&sort_order=> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0753>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2006-0753> ] [bugtraq <http://www.securityfocus.com/bid/16687>] [snort<http://www.snort.org/search/sid/1-17487> ] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt 2012-03-02 06:10:17 192.193.97.23<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.193.97.23&netmask=32> :80 192.168.56.1<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32> :47028 TCP #2-(5-50117)<http://bodhidarmar/base/base_qry_alert.php?submit=%232-%285-50117%29&sort_order=> [cve <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0753>] [icat<http://icat.nist.gov/icat.cfm?cvename=CAN-2006-0753> ] [bugtraq <http://www.securityfocus.com/bid/16687>] [snort<http://www.snort.org/search/sid/1-17487> ] WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt 2012-03-02 06:08:58 192.193.97.23<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.193.97.23&netmask=32> :80 192.168.56.1<http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32> :47013 TCP *Payload: * </td></tr>"); [2 non-ASCII characters] newWin.document.write("<tr align='right'><td colspan='3' class='ar1'><a href='javascript:window.close()'>Close this window</a> </td></tr>"); [2 non-ASCII characters] newWin.document.write("<tr><td> </td><td colspan='2'> </td></tr>"); [2 non-ASCII characters] newWin.document.write("<tr><td> </td><td colspan='2'> </td></tr>"); [2 non-ASCII characters] newWin.document.write("</table></form></body></html>"); [2 non-ASCII characters] newWin.document.close(); [2 non-ASCII characters] if (autoclose) { [2 non-ASCII characters] } } function openWinUser(wdh, hgt){ [2 non-ASCII characters] var autoclose = true [2 non-ASCII characters] newWin = open("","Test","scrollbar=no,width=350,height=150,left=200,top=200"); [2 non-ASCII characters] newWin.document.open(); [2 non-ASCII characters] newWin.document.write("<html><head><title>Citibank Online</title><meta http-equiv='Content-Type' content='text/html; charset=iso-8859-1'><link rel='stylesheet' href=http://www.citibank.co.in/infojsp/includes/copy.css>"); [2 non-ASCII characters] newWin.document.write("<script language='javascript' >"); [2 non-ASCII characters] newWin.document.write("function login(){"); [2 non-ASCII characters] newWin.document.write("var st='toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=1,resizable=0,top=0,left=0,width="+wdh+",height="+hgt+"';"); newWin.document.write("mainwin=window.open('https://www.citibank.co.in/ibank/login/guestlogin.jsp','Citibank',st);"); [2 non-ASCII characters] newWin.document.write("window.close();"); [2 non-ASCII characters] newWin.document.write("}"); [2 non-ASCII characters] newWin.document.write("<\/script>"); [2 non-ASCII characters] newWin.document.write("<body onBlur='window.focus()' bgcolor='#FFFFFF' text='#000000' leftmargin='0' topmargin='0' http://www.snort.org/vrt/docs/ruleset_changelogs/2_8_6_1/changes-2011-11-28.html -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FP on WEB-CLIENT Microsoft Internet Explorer Script Engine Stack Exhaustion Denial of Service attempt Balasubramaniam Natarajan (Mar 05)