Re: Linking this with that to create an alert

[rmkml <rmkml () yahoo fr>]

Hi James,

First, thx you for your all share!

Please try with these two sigs,

first sig match /jquery on http_uri and set flowbits

second sig check flowbits before and after http reply with document.write.

Don't remember adding flowbits:noalert; on first sig if it's work ;)

alert tcp any any -> any 80 (msg:"jquery uri flowbits"; 
flow:to_server,established; content:"/jquery"; nocase; http_uri; 
flowbits:set,http.jquery; classtype:web-application-activity; sid:1; 
rev:99;) # flowbits:noalert;

alert tcp any 80 -> any any (msg:"jquery uri with document.write reply 
attempt"; flow:to_client,established; flowbits:isset,http.jquery; 
file_data; content:"document.write"; distance:0; 
classtype:web-application-activity; sid:2; rev:99;)

Best Regards
@Rmkml



On Wed, 29 Jan 2014, James Lay wrote:

> All,
>
> In looking at:
>
> http://blog.spiderlabs.com/2014/01/beware-bats-hide-in-your-jquery-.html
>
> I'm wondering if there's a way to, in plain English: "if I requested a
> jquery named file, and that file contains a document.write, then alert".
> Betting it's a flowbit thing, which I've not really used much.  Any
> good resources that could assist with something like this?  Thanks.
>
> James

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!