Snort mailing list archives
RE: More sid 1841
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 21 Feb 2003 15:20:40 -0600
Since you obviously understand the rules syntax quite well, then you can clarify something else for me. I *thought* after reading the docs that this would work: content:"javascript\://"; content:"\n"; Isn't this saying "if you see both of these strings anywhere in the payload, trigger this alert? I'm using snort 1.9 Build 290 from the FreeBSD ports collection, and I use oinkmaster, which updates the rules nightly. The path used to fetch the rules (the "url" value in the conf file) is: http://www.snort.org/dl/signatures/snortrules-stable.tar.gz Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Friday, February 21, 2003 2:27 PM To: Schmehl, Paul L; snort-users () lists sourceforge net Subject: RE: [Snort-users] More sid 1841 Yes, you are correct, the \n needs to be part of the exploit, however the size of {url-here} is arbitrary. Snort is a simple pattern matcher, so it has no way of stating "look for "javascript://" followed by a "\n" somewhere before a quote character". Which is the only way of doing it that's not subject to false positives. I suppose the code could make some bad assumptions and assume a domain is no longer than 100 bytes, and look for a \n within 100 bytes of javascript://. That's an improvement to the rule, but not a flawless fix, as now an attacker can just insert padding to get around setting off the alert. As far as the "not experimental" statement, I find that interesting, what version of snort do you have? In the latest non-experimental full-release version of snort, 1.9.0, it's in the experimental.rules not the web-client.rules and the text message starts with EXPERIMENTAL. If you are running some version of snort from the snapshots, then your whole copy of snort is experimental. ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)