Snort mailing list archives
RE: More sid 1841
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 21 Feb 2003 15:27:10 -0500
Yes, you are correct, the \n needs to be part of the exploit, however the size of {url-here} is arbitrary. Snort is a simple pattern matcher, so it has no way of stating "look for "javascript://" followed by a "\n" somewhere before a quote character". Which is the only way of doing it that's not subject to false positives.
I suppose the code could make some bad assumptions and assume a domain is no longer than 100 bytes, and look for a \n within 100 bytes of javascript://. That's an improvement to the rule, but not a flawless fix, as now an attacker can just insert padding to get around setting off the alert.
As far as the "not experimental" statement, I find that interesting, what version of snort do you have?
In the latest non-experimental full-release version of snort, 1.9.0, it's in the experimental.rules not the web-client.rules and the text message starts with EXPERIMENTAL.
If you are running some version of snort from the snapshots, then your whole copy of snort is experimental.
At 01:52 PM 2/21/2003 -0600, you wrote:
Thanks for the clarification, Matt. Did I misunderstand the exploit? I
*thought* it was the backslash at the end of the javascript call that
was causing the problem. The exploit example has:
"javascript://{url-here}\n". I didn't catch that the problem was the
two forward slashes at the beginning of the string.
BTW, not to be picky, but this rule is *not* marked EXPERIMENTAL. It's
in the web-client.rules file, and there's no indication that it is an
experimental rule. Also, I'd take issue with your statement that it is
"an unusual, but safe, piece of javascript". It's apparently pretty
common practice. Just one site trips that rule enough times to make the
top fifteen source destinations for alerts, and *that* site I *know* is
not doing anything "evil". That one rule accounts for 5% of the total
alerts in acid - some 15,253 alerts over 10 days.
I guess I'll disable it. :-(
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)