Snort mailing list archives
Re: uricontent misbehaving?
From: Tim Kramer <kramert () mlrnoc navy mil>
Date: 02 Nov 2001 22:07:55 -0500
Dan, The "readme.eml" rule (in this case) was probably written in response to the Nimda worm which infects web servers so that they have an extra line of HMTL/JavaScript code at the bottom of the web page. The additional code causes a new browser window to be opened will off the visible portion of the desktop (location 6000,6000) and to download a file called "readme.eml". The actual code that gets added to the webpage looks like (without the proper JavaScript tags): window.open("readme.eml", null, "resizable=no,top=6000,left=6000") The act of visiting the infected website causes an additional HTTP request. This also makes it easy to detect (via Snort) and/or easy to block (via Squid). Hope this helps, Tim Kramer On Fri, 2001-11-02 at 13:21, dan.ellis () sophos com wrote:
Hi, I'm not actually a snort user, but I'm trying to respond to a log I was sent: Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt Priority:8 Type:Attempted User Privilege Gain IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689 References: 1 which apparently came from the rule: Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \ (msg:"WEB-MISC readme.eml attempt"; \ flags:A+; uricontent:"readme.eml"; nocase; \ classtype:attempted-user; sid:1284; rev:3; \ reference:url,www.cert.org/advisories/CA-2001-26.html;) (xxx... is our web server.) I'm not very familiar with snort, but from what I've just read in the documentation the 'uricontent' bit is supposed to match only on the URI of requests. However, this was a response packet from our web server. Of course, several of our pages contain the text "readme.eml", but I don't see how this rule could have triggered unless it was mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent' been known to misbehave in this way? Any information greatly appreaciated. Regards, Dan. -- Dan Ellis, Software Engineer Sophos Anti-Virus email: dan.ellis () sophos com http://www.sophos.com US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent misbehaving? dan . ellis (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Chuck Morford (Nov 02)
- Re: uricontent misbehaving? Martin Roesch (Nov 02)
- Re: uricontent misbehaving? Brian (Nov 06)
- <Possible follow-ups>
- Re: uricontent misbehaving? Daniel Carroll (Nov 02)