Snort mailing list archives
Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php"
From: Community Signatures <lists () packetmail net>
Date: Tue, 13 Mar 2012 11:20:08 -0500
On 03/13/12 11:03, Joel Esler wrote:
Well, we have a rule that fires on that initially.. 21347 But it's set to noalert as we think it'll be FP prone. Thoughts?
Ouch I completely missed that one, it's new and wasn't in my tarball. Yes, it will false-positive I had tried something similar and the URI structures in a few sites, especially video sites, cause it to false. It is worth setting a flowbit though. I'm open to your opinion, I do think there to be value in detection of a terse/basic 'document.location' redirect. Perhaps something like with the direction $EXTERNAL_NET -> $HOME_NET: file_data; content:"document.location="; depth:18; content:".php?"; along with the PCRE in 21347 without the /U flag -- this will catch more than just the "showthread.php" variant. I assume file_data with depth:18 will match on equiv of content:"|0d 0a 0d 0a|document.location="; with no normalized buffer. I appreciate any corrections here if I'm wrong. PS -- The PCRE in 21347 needs an escape on the period in ".php"... well I guess it doesn't matter because of the content match, but I think you intend one to be there. Thanks, Nathan ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Proposed (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Community Signatures (Mar 13)
- Re: Proposed Signature - "COMMUNITY SPECIFIC-THREATS Blackhole Terse JavaScript hex 16 byte document.location JavaScript redirect to showthread.php" Joel Esler (Mar 13)