[Snort-sigs] Does HTML always escape?

Matt Kettler mkettler at ...189...
Wed Apr 21 12:04:04 EDT 2004


At 11:01 AM 4/21/2004, Derek Edwards wrote:
>Hello,
>
>I've been away from the list for a while, so please bear with me if I've 
>missed something important.  Given this signature installed in Snort 1.9 
>to detect an attempt to misuse MHTML in an HTML document:
>
>alert tcp any any -> $HOME_NET any (msg:"MTHML URL Attempt"; 
>flow:from_server,established; content:"ms-its|3A|mhtml|3A|"; nocase; 
>reference:cve,CAN-2004-0380; classtype:web-application-attack; 
>sid:1000019; rev:4; )
>
>The HTML snippet below brings up a general question.  Is there any way to 
>detect this kind of HTML, given the way the leading 'm' character is escaped?
>
><object 
>data="ms-its:mhtml:file://C:\foo.mht!${PATH}/junk.chm::/stuff.htm" 
>type="text/x-scriptlet"></object>
>The difficulty in supporting the variety of encodings used is covered in a 
>recent "incidents-list" thread 
>at: 
><http://archives.neohapsis.com/archives/incidents/2004-04/0014.html>http://archives.neohapsis.com/archives/incidents/2004-04/0014.html
>

Correct me if I'm wrong, but isn't decoding all that escape garbage the job 
of the http_inspect preprocessor. (note: I'm not sure what the snort 1.9 
equivalent preprocessor is named. 1.9 is so old the details have long since 
escaped by memory, but I suspect it had a http decoder of some sort.)
   





More information about the Snort-sigs mailing list