Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Couple sigs

From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 07 Sep 2012 12:06:03 -0600
So...I get really tired of malicious redirects, so here are a couple 
sigs:

Maybe hidden iframes are all over the net...maybe not, but this one is 
specifically designed to catch stuff like the below:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 
Hidden iframe"; flow:to_client, established; file_data; content:"<iframe 
width=1 height=1 style=visibility|3a|hidden"; classtype:bad-unknown; 
sid:10000023; rev:1;)

<iframe width=1 height=1 style=visibility:hidden 
src='http://www.redacted.com/wp-count.php?ref=redacted</iframe>




this next one is to catch those pages that are just a single refresh 
line with a link to an IP...I see a lot of these types being pointed at 
from compromised (wordpess) sites...as I understand it file_data should 
make this sig search from the beginning of the response body...which is 
exactly where I want it to search and not say the middle of the page (I 
hope):


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE Page with only IP redirect, possible 
compromised site"; flow:to_client, established; file_data; 
content:"<html><head><meta http-equiv=|22|refresh"; 
pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/sm"; classtype:bad-unknown; 
sid:10000024; rev:1;)

<html><head><meta http-equiv="refresh" 
content="0;url=http://redacted/redacted";></meta></head></html>




So far no FP's in my environment, your mileage may vary.  As usual, 
comments, thoughts, improvements, hack & slash on these are welcome.  
Thanks all.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: