The content pattern of Rule SID: 19713 can be improved

[Ruowen Wang <rwang9 () ncsu edu>]

Dear All,

I am doing a research to test Snort rules using Metasploit exploit scripts.
I find that the content pattern of the rule sid:19713 might be inaccurate
and can be improved. The rule is:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX
Mozilla Array.reduceRight integer overflow"; flow:to_client,established;
file_data; content:"a.length=0xffffffff"; nocase;
content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user;
sid:19713; rev:2;)

I find that in its content patterns "a.length..." and "a.reduce...", "a" is
actually a JavaScript var name (more specifically, it is an Array object in
this attack), which can be freely chosen by attacker. In addition, I find
this rule cannot detect the Metasploit attack. The corresponding exploit is
http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb

If there is anyone who is familiar with this rule, please take a look, and
correct me if I am wrong.

Thank you very much! Have a nice day!


Best Regards!
Ruowen

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!