Snort mailing list archives
Re: Couple sigs
From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 10 Sep 2012 12:00:04 -0400
On Mon, Sep 10, 2012 at 11:40 AM, lists () packetmail net <lists () packetmail net
wrote:
On 09/10/12 10:30, Alex Kirk wrote:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any(msg:"INDICATOR-OBFUSCATIONhidden iframe - potential include of malicious content"; flow:to_client, established; file_data; content:"<iframe "; nocase; content:"width=1";nocase;distance:0; within:50; content:"height=1"; nocase; distance:-40;within:80;content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80; classtype:bad-unknown;)I've seen \x22 and \x27 being used occasionally to quote the in-line style declaration. Cheers, Nathan Which, of course, goes back to the whole issue of "HTML is such a
relatively free-form mockup language that there's a zillion ways to evade any sort of detection." If this concept isn't totally blown out of the water by lots of legitimate web sites using hidden iframes, then it seems to me that the best way to proceed is to figure out what's the least performance-intensive way of accounting for all of the potential permutations. This may end up being several rules, or potentially even a single rule with a PCRE; I'm honestly agnostic as to how the end result is achieved, so long as it works when we're done. Long-term, it might even make sense to have additional Snort functionality to normalize cases like this (i.e. standardize how quotes appear in a normalized buffer) to make things more sane, but that's something we'd need to debate fairly extensively within the community before implementing, I'm sure. In the meantime, thanks for the input, you make a very good point. -- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Couple sigs James Lay (Sep 07)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs James Lay (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs James Lay (Sep 10)
- Re: Couple sigs lists () packetmail net (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs lists () packetmail net (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)
- Re: Couple sigs Alex Kirk (Sep 10)