Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Couple sigs

From: Alex Kirk <akirk () sourcefire com>
Date: Mon, 10 Sep 2012 12:00:04 -0400
On Mon, Sep 10, 2012 at 11:40 AM, lists () packetmail net <lists () packetmail net

wrote:



On 09/10/12 10:30, Alex Kirk wrote:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any

(msg:"INDICATOR-OBFUSCATION

hidden iframe - potential include of malicious content"; flow:to_client,
established; file_data; content:"<iframe "; nocase; content:"width=1";

nocase;

distance:0; within:50; content:"height=1"; nocase; distance:-40;

within:80;

content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
classtype:bad-unknown;)


I've seen \x22 and \x27 being used occasionally to quote the in-line style
declaration.

Cheers,
Nathan


Which, of course, goes back to the whole issue of "HTML is such a

relatively free-form mockup language that there's a zillion ways to evade
any sort of detection."

If this concept isn't totally blown out of the water by lots of legitimate
web sites using hidden iframes, then it seems to me that the best way to
proceed is to figure out what's the least performance-intensive way of
accounting for all of the potential permutations. This may end up being
several rules, or potentially even a single rule with a PCRE; I'm honestly
agnostic as to how the end result is achieved, so long as it works when
we're done. Long-term, it might even make sense to have additional Snort
functionality to normalize cases like this (i.e. standardize how quotes
appear in a normalized buffer) to make things more sane, but that's
something we'd need to debate fairly extensively within the community
before implementing, I'm sure.

In the meantime, thanks for the input, you make a very good point.

-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: