Snort mailing list archives
Re: The content pattern of Rule SID: 19713 can be improved
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Mon, 29 Jul 2013 10:06:41 -0400
Hi Ruowen, If you search through the ruleset for the CVE 2011-2371 you will find that there are more rules that cover this vulnerability, on top of 19713 there is 19714, 24187 and 24188. Each of these rules covers different vectors and the should cover all public exploits. thanks, Alex McDonnell VRT On Mon, Jul 29, 2013 at 1:42 AM, Ruowen Wang <rwang9 () ncsu edu> wrote:
Dear All, I am doing a research to test Snort rules using Metasploit exploit scripts. I find that the content pattern of the rule sid:19713 might be inaccurate and can be improved. The rule is: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow"; flow:to_client,established; file_data; content:"a.length=0xffffffff"; nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user; sid:19713; rev:2;) I find that in its content patterns "a.length..." and "a.reduce...", "a" is actually a JavaScript var name (more specifically, it is an Array object in this attack), which can be freely chosen by attacker. In addition, I find this rule cannot detect the Metasploit attack. The corresponding exploit is http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb If there is anyone who is familiar with this rule, please take a look, and correct me if I am wrong. Thank you very much! Have a nice day! Best Regards! Ruowen ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- The content pattern of Rule SID: 19713 can be improved Ruowen Wang (Jul 28)
- Re: The content pattern of Rule SID: 19713 can be improved Alex McDonnell (Jul 29)
- Re: The content pattern of Rule SID: 19713 can be improved Ruowen Wang (Jul 29)
- Re: The content pattern of Rule SID: 19713 can be improved Alex McDonnell (Jul 29)