Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt

From: Joel Esler <jesler () sourcefire com>
Date: Mon, 20 Feb 2012 09:40:01 -0500
Discussion of VRT rules belongs on the Snort-sigs list.  Cc'ed here.

J

On Feb 20, 2012, at 9:16 AM, Balasubramaniam Natarajan wrote:


I am hitting on False positive for the rule on visiting Yahoo.

web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer 
malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"<IFRAME "; nocase; 
pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop; 
reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:7;)


 ID    < Signature >   < Timestamp >   < Source Address >      < Dest. Address >       < Layer 4 Proto > 
      #0-(5-49715)    [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer 
overflow attempt   2012-02-20 08:47:05    202.43.205.15:80        192.168.56.1:44895      TCP 
      #1-(5-49712)    [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer 
overflow attempt   2012-02-20 08:46:57    202.43.205.15:80        192.168.56.1:44895      TCP


HTTP/1.1 200 OK
[2 non-ASCII characters]
Date: Mon, 20 Feb 2012 03:17:05 GMT
[2 non-ASCII characters]
Server: YTS/1.19.8

[2 non-ASCII characters]
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
[2 non-ASCII characters]
X-RightMedia-Hostname: raptor0122.rm.sg1

[2 non-ASCII characters]
Set-Cookie: ih="b!!!!'!%LG<!!!!$=L4W2!6W'N!!!!#=L4WL!8*(,!!!!(=L4WC!8Z^O!!!!#=L4W>"; path=/; expires=Wed, 19-Feb-2014 
03:17:05 GMT
[2 non-ASCII characters]

Set-Cookie: vuday1=n#C*yNHRYlrlkFu; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
[2 non-ASCII characters]
Set-Cookie: BX=2pd19b17k3emo&b=4&d=i2aiwllpYF7d6BH6.kz_MpCsjVlXT83h9Z7ikDQ-&s=ri&i=b8OZS4VeRPGQ&t=50; path=/; 
expires=Tue, 19-Jan-2038 03:14:07 GMT

[2 non-ASCII characters]
Set-Cookie: liday1=nfg#QNHRYlV!-@g; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
[2 non-ASCII characters]
Cache-Control: no-store
[2 non-ASCII characters]

Last-Modified: Mon, 20 Feb 2012 03:17:05 GMT
[2 non-ASCII characters]
Pragma: no-cache
[2 non-ASCII characters]
Content-Type: text/html
[2 non-ASCII characters]

Age: 0
[2 non-ASCII characters]
Transfer-Encoding: chunked
[2 non-ASCII characters]
Connection: keep-alive
[4 non-ASCII characters]
493

[2 non-ASCII characters]
<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script 
type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(12037232);}

</script><!-- RMX,yatranua/160x600_flash/160x600 (creativeId 76dab21a1fedf670149b12fc6064dd5e), created at Mon Nov 21 
2011 15:42:54 GMT+0800 (Taipei Standard Time) -->
[2 non-ASCII characters]

<iframe 
src="http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C";
 frameborder="0" scrolling="no" width="160" height="600"></iframe></body></html>

[3 non-ASCII characters]
0
[3 non-ASCII characters]
I believe that this is a VRT rule and do let me know if I can discuss about those here, I don't want to break some 
rules of this mailing list.

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: