Snort mailing list archives
Re: Couple sigs
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 10 Sep 2012 09:36:29 -0600
On 2012-09-10 09:30, Alex Kirk wrote:
Actually, the real issue with obfuscation is around the order of the width, height, and style parameters. Right now, just swapping any of those around in terms of their order within the packet evades the rule. I had thought about doing a PCRE to validate that all three elements were within a single tag, but that actually turns into a lot of potential permutations fairly rapidly once youve got 3 distinct options (3! worth, or 6 possible layouts, if my old math classes and my memory are serving me right), which will make for a fairly expensive PCRE - especially given that it would enter fairly frequently, since things like "style=visibility:hidden" are somewhat common elements on any given HTML page. Nick Randolph had an excellent idea that revolves around using negative distance values to create a "window" of possible places for matches to occur that actually works fairly well in testing: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hidden iframe - potential include of malicious content"; flow:to_client, established; file_data; content:"<iframe "; nocase; content:"width=1"; nocase; distance:0; within:50; content:"height=1"; nocase; distance:-40; within:80; content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80; classtype:bad-unknown;) Id still want to verify that its not common practice to do a hidden iframe in this manner in the wild, but writing the rule like this is a nice balance between specificity, non-evadability, and performance, IMHO. Yes, theres the 2x2, or 0x0, iframes to deal with, etc., but since most of the stuff Ive ever seen in the wild is 1x1 or 0x0, then wed just have a pair of rules around this and be done with it. FWIW, Nick is working on a blog post explaining the logic of using negative distances like these for detection. Hopefully thatll be up this week.
Ah nice...thanks Alex. I'll put this new rule into the live environment and let you know how it goes. James ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Couple sigs James Lay (Sep 07)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs James Lay (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs James Lay (Sep 10)
- Re: Couple sigs lists () packetmail net (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs lists () packetmail net (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)