Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: More sid 1841

From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 21 Feb 2003 15:20:40 -0600
Since you obviously understand the rules syntax quite well, then you can
clarify something else for me.  I *thought* after reading the docs that
this would work:
content:"javascript\://"; content:"\n";

Isn't this saying "if you see both of these strings anywhere in the
payload, trigger this alert?

I'm using snort 1.9 Build 290 from the FreeBSD ports collection, and I
use oinkmaster, which updates the rules nightly.  The path used to fetch
the rules (the "url" value in the conf file) is:
http://www.snort.org/dl/signatures/snortrules-stable.tar.gz

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/



-----Original Message-----
From: Matt Kettler [mailto:mkettler () evi-inc com] 
Sent: Friday, February 21, 2003 2:27 PM
To: Schmehl, Paul L; snort-users () lists sourceforge net
Subject: RE: [Snort-users] More sid 1841


Yes, you are correct, the \n needs to be part of the exploit, however
the 
size of {url-here} is arbitrary. Snort is a simple pattern matcher, so
it 
has no way of stating "look for "javascript://" followed by a "\n" 
somewhere before a quote character". Which is the only way of doing it 
that's not subject to false positives.

I suppose the code could make some bad assumptions and assume a domain
is 
no longer than 100 bytes, and look for a \n within 100 bytes of 
javascript://. That's an improvement to the rule, but not a flawless
fix, 
as now an attacker can just insert padding to get around setting off the
alert.


As far as the "not experimental" statement, I find that interesting,
what 
version of snort do you have?

In the latest non-experimental full-release version of snort, 1.9.0,
it's 
in the experimental.rules not the web-client.rules and the text message 
starts with EXPERIMENTAL.

If you are running some version of snort from the snapshots, then your 
whole copy of snort is experimental.


-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: