Re: The content pattern of Rule SID: 19713 can be improved

[Ruowen Wang <rwang9 () ncsu edu>]

Hi Alex,

Thanks for pointing this out. Actually, I was previously checking an old
snortrules-2922, which didn't contain the 24187, 24188 rules. I check the
latest one snortrules-2946. I find that 24188 can cover Metasploit attack.

It's good to know public exploits are covered by Snort rules. I also notice
there is a specific rule file exploit-kit.rules focusing on exploit tool
kits. That's great!

Thanks again!

Thank you very much! Have a nice day!
----
Looking forward to your reply

Best Regards!
Sincerely yours,

*Ruowen Wang*
**Graduate Student
Department of Computer Science
North Carolina State University
E-mail: rwang9 () ncsu edu



On Mon, Jul 29, 2013 at 7:06 AM, Alex McDonnell
<amcdonnell () sourcefire com>wrote:

> Hi Ruowen,
>
> If you search through the ruleset for the CVE 2011-2371 you will find that
> there are more rules that cover this vulnerability, on top of 19713 there
> is 19714, 24187 and 24188. Each of these rules covers different vectors and
> the should cover all public exploits.
>
> thanks,
> Alex McDonnell
> VRT
>
>
> On Mon, Jul 29, 2013 at 1:42 AM, Ruowen Wang <rwang9 () ncsu edu> wrote:
>
> > Dear All,
> >
> > I am doing a research to test Snort rules using Metasploit exploit
> > scripts. I find that the content pattern of the rule sid:19713 might be
> > inaccurate and can be improved. The rule is:
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> > (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow";
> > flow:to_client,established; file_data; content:"a.length=0xffffffff";
> > nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase;
> > metadata:policy balanced-ips drop, policy security-ips drop, service http;
> > reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user;
> > sid:19713; rev:2;)
> >
> > I find that in its content patterns "a.length..." and "a.reduce...", "a"
> > is actually a JavaScript var name (more specifically, it is an Array object
> > in this attack), which can be freely chosen by attacker. In addition, I
> > find this rule cannot detect the Metasploit attack. The corresponding
> > exploit is
> >
> > http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb
> >
> > If there is anyone who is familiar with this rule, please take a look,
> > and correct me if I am wrong.
> >
> > Thank you very much! Have a nice day!
> >
> >
> > Best Regards!
> > Ruowen
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> >
> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!