Snort mailing list archives
Re: FP on 31977?
From: Dave Killion <dave.killion () gmail com>
Date: Mon, 16 Mar 2015 16:13:06 +0000
That is the most horrible web-app I've seen in a long, long time. I wonder how susceptible it is to cross-site scripting... :) -Dave On Mon, Mar 16, 2015 at 7:26 AM Weir, Jason <jason.weir () nhrs org> wrote:
Getting hits on 31977 via the GET below – I believe they are false.
GET /services/obituaries.ashx?IncludeSidebar=0&Name=Debra Jones
Obituary&String=r. Memorial Home, Franklin-Tilton Road, 584 West Main St.,
in Tilton. Deb's family requests that those wishing, may make contributions
in her name to ;(function() { var adKeyValue = 't=';
adKeyValue += escape('clio=MAW'); adKeyValue +=
escape('&cobrand=concordmonitor'); adKeyValue += escape('&linktext=The
Make-A-Wish Foundation'); adKeyValue += escape('&linkurl=
http://ad.doubleclick.net/ddm/clk/286988598%3B113956851%3Bl'); adKeyValue
+= escape('&fn=Debra'); adKeyValue += escape('&ln=Jones'); var adClkUrl = '
http://pubads.g.doubleclick.net/gampad/jump?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&'
+ adKeyValue + '&sz=1x1&c=537810296'; var adImpUrl = '
http://pubads.g.doubleclick.net/gampad/ad?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&'
+ adKeyValue + '&sz=1x1&c=537810296'; document.write(" The Make-A-Wish
Foundation "); }()); The Make-A-Wish Foundation of New Hampshire, 814 Elm
St., Suite 300, Manchester, NH 03101. For more information go to
smartfuneralhome.com.&location=
http://www.legacy.com/obituaries/concordmonitor/obituary.aspx?n=debra-ann-jones-ross&pid=174389739&fhid=13973&randomlabel=ga38770210180839515&published=Sat
Mar 14 2015 00:00:00 GMT-0400 (Eastern Daylight Time) HTTP/1.1
Looks like the function() { is what is triggering the rule.
Current rule
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4;)
Will adding content:!” function() “ break things?
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:!” function() “; content:"() {"; fast_pattern:only; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http; reference:cve,2014-6271; reference:cve,2014-6277;
reference:cve,2014-6278; reference:cve,2014-7169;
classtype:attempted-admin; sid:31977; rev:5;)
Jason
------------------------------------------------------------
------------------
Dive into the World of Parallel Programming The Go Parallel Website,
sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for
all
things parallel software development, from weekly thought leadership blogs
to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FP on 31977? Weir, Jason (Mar 16)
- Re: FP on 31977? Dave Killion (Mar 16)
- Re: FP on 31977? Weir, Jason (Mar 16)
- Re: FP on 31977? Dave Killion (Mar 16)