Re: Couple sigs

[James Lay <jlay () slave-tothe-box net>]

On 2012-09-10 09:30, Alex Kirk wrote:
> Actually, the real issue with obfuscation is around the order of the
> width, height, and style parameters. Right now, just swapping any of
> those around in terms of their order within the packet evades the
> rule.
>
> I had thought about doing a PCRE to validate that all three elements
> were within a single tag, but that actually turns into a lot of
> potential permutations fairly rapidly once youve got 3 distinct
> options (3! worth, or 6 possible layouts, if my old math classes and
> my memory are serving me right), which will make for a fairly
> expensive PCRE - especially given that it would enter fairly
> frequently, since things like "style=visibility:hidden" are somewhat
> common elements on any given HTML page. Nick Randolph had an 
> excellent
> idea that revolves around using negative distance values to create a
> "window" of possible places for matches to occur that actually works
> fairly well in testing:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-OBFUSCATION hidden iframe - potential include of
> malicious content"; flow:to_client, established; file_data;
> content:"<iframe "; nocase; content:"width=1"; nocase; distance:0;
> within:50; content:"height=1"; nocase; distance:-40; within:80;
> content:"style=visibility|3a|hidden"; nocase; distance:-40; 
> within:80;
> classtype:bad-unknown;)
>
> Id still want to verify that its not common practice to do a hidden
> iframe in this manner in the wild, but writing the rule like this is 
> a
> nice balance between specificity, non-evadability, and performance,
> IMHO. Yes, theres the 2x2, or 0x0, iframes to deal with, etc., but
> since most of the stuff Ive ever seen in the wild is 1x1 or 0x0, then
> wed just have a pair of rules around this and be done with it.
>
> FWIW, Nick is working on a blog post explaining the logic of using
> negative distances like these for detection. Hopefully thatll be up
> this week.


Ah nice...thanks Alex.  I'll put this new rule into the live 
environment and let you know how it goes.

James


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!