Snort mailing list archives

Re: uricontent misbehaving?

From: Tim Kramer <kramert () mlrnoc navy mil>
Date: 02 Nov 2001 22:07:55 -0500

Dan,

The "readme.eml" rule (in this case) was probably written
in response to the Nimda worm which infects web servers so
that they have an extra line of HMTL/JavaScript code at the
bottom of the web page.  The additional code causes a new
browser window to be opened will off the visible portion of
the desktop (location 6000,6000) and to download a file
called "readme.eml".  The actual code that gets added to the
webpage looks like (without the proper JavaScript tags):

window.open("readme.eml", null, "resizable=no,top=6000,left=6000")

The act of visiting the infected website causes an additional
HTTP request.  This also makes it easy to detect (via Snort) 
and/or easy to  block (via Squid).

Hope this helps,
Tim Kramer


On Fri, 2001-11-02 at 13:21, dan.ellis () sophos com wrote:

Hi,

I'm not actually a snort user, but I'm trying to respond to a log I was
sent:

Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
Priority:8 Type:Attempted User Privilege Gain
IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
References: 1

which apparently came from the rule:

Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    (msg:"WEB-MISC readme.eml attempt"; \
    flags:A+; uricontent:"readme.eml"; nocase; \
    classtype:attempted-user; sid:1284; rev:3; \
    reference:url,www.cert.org/advisories/CA-2001-26.html;)

(xxx... is our web server.)

I'm not very familiar with snort, but from what I've just read in the
documentation the 'uricontent' bit is supposed to match only on
the URI of requests. However, this was a response packet from our
web server. Of course, several of our pages contain the text "readme.eml",
but I don't see how this rule could have triggered unless it was
mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
been known to misbehave in this way?

Any information greatly appreaciated.

Regards,
Dan.


--
Dan Ellis, Software Engineer                              Sophos Anti-Virus
email: dan.ellis () sophos com                           http://www.sophos.com
US Support: +1 888 SOPHOS 9                     UK Support: +44 1235 559933


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

uricontent misbehaving? dan . ellis (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
  - Re: uricontent misbehaving? Chuck Morford (Nov 02)
- Re: uricontent misbehaving? Martin Roesch (Nov 02)
- Re: uricontent misbehaving? Brian (Nov 06)
- <Possible follow-ups>
- Re: uricontent misbehaving? Daniel Carroll (Nov 02)