[Snort-sigs] Does HTML always escape?

Derek Edwards derekedw at ...144...
Wed Apr 21 08:02:08 EDT 2004

I've been away from the list for a while, so please bear with me if I've missed something important.  Given this signature installed in Snort 1.9 to detect an attempt to misuse MHTML in an HTML document:
alert tcp any any -> $HOME_NET any (msg:"MTHML URL Attempt"; flow:from_server,established; content:"ms-its|3A|mhtml|3A|"; nocase; reference:cve,CAN-2004-0380; classtype:web-application-attack; sid:1000019; rev:4; )
The HTML snippet below brings up a general question.  Is there any way to detect this kind of HTML, given the way the leading 'm' character is escaped?  
<object data="ms-its:mhtml:file://C:\foo.mht!${PATH}/junk.chm::/stuff.htm" type="text/x-scriptlet"></object>

The difficulty in supporting the variety of encodings used is covered in a recent "incidents-list" thread at:  http://archives.neohapsis.com/archives/incidents/2004-04/0014.html
Thank you,

  Derek Edwards, CISSP/CEH                     derekedw at ...144...
                         Soli Deo Gloria

Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040421/7eb90d6f/attachment.html>

More information about the Snort-sigs mailing list