Re: Couple sigs

[Alex Kirk <akirk () sourcefire com>]

These look like solid rules, James - especially the hidden Iframe bit, that
seems like suspicious practice even if it's on a "legit" web site.

I'm going to have these run through our rule testing group, just in case we
see legit sites doing either one of these things on a regular basis - but
assuming that they come up clean, I think they'd be excellent additions to,
say, INDICATOR-OBFUSCATION.

On Fri, Sep 7, 2012 at 2:06 PM, James Lay <jlay () slave-tothe-box net> wrote:

> So...I get really tired of malicious redirects, so here are a couple
> sigs:
>
> Maybe hidden iframes are all over the net...maybe not, but this one is
> specifically designed to catch stuff like the below:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Hidden iframe"; flow:to_client, established; file_data; content:"<iframe
> width=1 height=1 style=visibility|3a|hidden"; classtype:bad-unknown;
> sid:10000023; rev:1;)
>
> <iframe width=1 height=1 style=visibility:hidden
> src='http://www.redacted.com/wp-count.php?ref=redacted</iframe>
>
>
>
>
> this next one is to catch those pages that are just a single refresh
> line with a link to an IP...I see a lot of these types being pointed at
> from compromised (wordpess) sites...as I understand it file_data should
> make this sig search from the beginning of the response body...which is
> exactly where I want it to search and not say the middle of the page (I
> hope):
>
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISE Page with only IP redirect, possible
> compromised site"; flow:to_client, established; file_data;
> content:"<html><head><meta http-equiv=|22|refresh";
> pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/sm"; classtype:bad-unknown;
> sid:10000024; rev:1;)
>
> <html><head><meta http-equiv="refresh"
> content="0;url=http://redacted/redacted";></meta></head></html>
>
>
>
>
> So far no FP's in my environment, your mileage may vary.  As usual,
> comments, thoughts, improvements, hack & slash on these are welcome.
> Thanks all.
>
> James
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!