Snort mailing list archives
Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 20 Feb 2012 09:40:01 -0500
Discussion of VRT rules belongs on the Snort-sigs list. Cc'ed here. J On Feb 20, 2012, at 9:16 AM, Balasubramaniam Natarajan wrote:
I am hitting on False positive for the rule on visiting Yahoo. web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"<IFRAME "; nocase; pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:7;) ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(5-49715) [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt 2012-02-20 08:47:05 202.43.205.15:80 192.168.56.1:44895 TCP #1-(5-49712) [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt 2012-02-20 08:46:57 202.43.205.15:80 192.168.56.1:44895 TCP HTTP/1.1 200 OK [2 non-ASCII characters] Date: Mon, 20 Feb 2012 03:17:05 GMT [2 non-ASCII characters] Server: YTS/1.19.8 [2 non-ASCII characters] P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" [2 non-ASCII characters] X-RightMedia-Hostname: raptor0122.rm.sg1 [2 non-ASCII characters] Set-Cookie: ih="b!!!!'!%LG<!!!!$=L4W2!6W'N!!!!#=L4WL!8*(,!!!!(=L4WC!8Z^O!!!!#=L4W>"; path=/; expires=Wed, 19-Feb-2014 03:17:05 GMT [2 non-ASCII characters] Set-Cookie: vuday1=n#C*yNHRYlrlkFu; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT [2 non-ASCII characters] Set-Cookie: BX=2pd19b17k3emo&b=4&d=i2aiwllpYF7d6BH6.kz_MpCsjVlXT83h9Z7ikDQ-&s=ri&i=b8OZS4VeRPGQ&t=50; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT [2 non-ASCII characters] Set-Cookie: liday1=nfg#QNHRYlV!-@g; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT [2 non-ASCII characters] Cache-Control: no-store [2 non-ASCII characters] Last-Modified: Mon, 20 Feb 2012 03:17:05 GMT [2 non-ASCII characters] Pragma: no-cache [2 non-ASCII characters] Content-Type: text/html [2 non-ASCII characters] Age: 0 [2 non-ASCII characters] Transfer-Encoding: chunked [2 non-ASCII characters] Connection: keep-alive [4 non-ASCII characters] 493 [2 non-ASCII characters] <html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(12037232);} </script><!-- RMX,yatranua/160x600_flash/160x600 (creativeId 76dab21a1fedf670149b12fc6064dd5e), created at Mon Nov 21 2011 15:42:54 GMT+0800 (Taipei Standard Time) --> [2 non-ASCII characters] <iframe src="http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C" frameborder="0" scrolling="no" width="160" height="600"></iframe></body></html> [3 non-ASCII characters] 0 [3 non-ASCII characters] I believe that this is a VRT rule and do let me know if I can discuss about those here, I don't want to break some rules of this mailing list. -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/ _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt Joel Esler (Feb 20)