Snort mailing list archives
Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt
From: Joel Esler <jesler () sourcefire com>
Date: Mon, 20 Feb 2012 09:45:20 -0500
Oh, and that being said, this is a vulnerability against IE6 from October of 2004 that had to do with large Iframes. If you are not running IE6 or have patched it since 2004, feel free to disable this rule. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Feb 20, 2012, at 9:40 AM, Joel Esler wrote:
Discussion of VRT rules belongs on the Snort-sigs list. Cc'ed here. J On Feb 20, 2012, at 9:16 AM, Balasubramaniam Natarajan wrote:I am hitting on False positive for the rule on visiting Yahoo. web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"<IFRAME "; nocase; pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:7;) ID < Signature > < Timestamp > < Source Address > < Dest. Address > < Layer 4 Proto > #0-(5-49715) [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt 2012-02-20 08:47:05 202.43.205.15:80 192.168.56.1:44895 TCP #1-(5-49712) [cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt 2012-02-20 08:46:57 202.43.205.15:80 192.168.56.1:44895 TCP HTTP/1.1 200 OK [2 non-ASCII characters] Date: Mon, 20 Feb 2012 03:17:05 GMT [2 non-ASCII characters] Server: YTS/1.19.8 [2 non-ASCII characters] P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" [2 non-ASCII characters] X-RightMedia-Hostname: raptor0122.rm.sg1 [2 non-ASCII characters] Set-Cookie: ih="b!!!!'!%LG<!!!!$=L4W2!6W'N!!!!#=L4WL!8*(,!!!!(=L4WC!8Z^O!!!!#=L4W>"; path=/; expires=Wed, 19-Feb-2014 03:17:05 GMT [2 non-ASCII characters] Set-Cookie: vuday1=n#C*yNHRYlrlkFu; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT [2 non-ASCII characters] Set-Cookie: BX=2pd19b17k3emo&b=4&d=i2aiwllpYF7d6BH6.kz_MpCsjVlXT83h9Z7ikDQ-&s=ri&i=b8OZS4VeRPGQ&t=50; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT [2 non-ASCII characters] Set-Cookie: liday1=nfg#QNHRYlV!-@g; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT [2 non-ASCII characters] Cache-Control: no-store [2 non-ASCII characters] Last-Modified: Mon, 20 Feb 2012 03:17:05 GMT [2 non-ASCII characters] Pragma: no-cache [2 non-ASCII characters] Content-Type: text/html [2 non-ASCII characters] Age: 0 [2 non-ASCII characters] Transfer-Encoding: chunked [2 non-ASCII characters] Connection: keep-alive [4 non-ASCII characters] 493 [2 non-ASCII characters] <html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(12037232);} </script><!-- RMX,yatranua/160x600_flash/160x600 (creativeId 76dab21a1fedf670149b12fc6064dd5e), created at Mon Nov 21 2011 15:42:54 GMT+0800 (Taipei Standard Time) --> [2 non-ASCII characters] <iframe src="http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C" frameborder="0" scrolling="no" width="160" height="600"></iframe></body></html> [3 non-ASCII characters] 0 [3 non-ASCII characters] I believe that this is a VRT rule and do let me know if I can discuss about those here, I don't want to break some rules of this mailing list. -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/ _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt Joel Esler (Feb 20)
- Re: [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt Joel Esler (Feb 20)