[Snort-sigs] Fasle Positive for Sid: 1841

Colin Tinker g1gsw at ...2705...
Wed Aug 4 13:37:45 EDT 2004


Rule:  
WEB-CLIENT Javascript URL host spoofing attempt
--
Sid:
1841
--
Summary:
Visit http://www.scan.co.uk and it will trigger this rule.
--
Impact:
False positive
--
Detailed Information:
20 20 20 3c  54 44 20 63  6c 61 73 73  3d 22 6e 61    <TD class="na
76 42 61 73  6b 65 74 54  69 74 6c 65  22 3e 4c 61 vBasketTitle">La
74 65 73 74  20 6e 65 77  73 3c 2f 54  44 3e 20 20 test news</TD>  
20 20 20 20  20 20 20 20  3c 54 44 20  77 69 64 74         <TD widt
68 3d 22 32  33 22 3e 3c  61 20 68 72  65 66 3d 22 h="23"><a href="
4a 61 76 61  73 63 72 69  70 74 3a 2f  2f 22 20 6f Javascript://" o
6e 63 6c 69  63 6b 3d 22  73 68 6f 77  68 69 64 65 nclick="showhide
6d 65 6e 75  28 64 6f 63  75 6d 65 6e  74 2e 61 6c menu(document.al
6c 2e 73 70  6e 4c 61 74  65 73 74 4e  65 77 73 2c l.spnLatestNews,
20 64 6f 63  75 6d 65 6e  74 2e 61 6c  6c 2e 69 6d  document.all.im
67 4c 61 74  65 73 74 4e  65 77 73 2c  20 27 53 68 gLatestNews, 'Sh
6f 77 4c 61  74 65 73 74  4e 65 77 73  27 29 22 3e owLatestNews')">
3c 69 6d 67  20 73 72 63  3d 22 2f 69  6d 61 67 65 <img src="/image
73 2f 6e 61  76 5f 62 61  72 5f 75 2e  70 6e 67 22 s/nav_bar_u.png"
20 69 64 3d  22 69 6d 67  4c 61 74 65  73 74 4e 65  id="imgLatestNe
77 73 22 20  62 6f 72 64  65 72 3d 22  30 22 20 77 ws" border="0" w
69 64 74 68  3d 22 32 33  22 20 68 65  69 67 68 74 idth="23" height
3d 22 32 34  22 3e 3c 2f  61 3e 3c 2f  54 44 3e 20 ="24"></a></TD> 
20 20 20 20  20 20 20 3c  2f 54 52 3e  20 20 20 20        </TR>    
20 20 3c 2f  54 41 42 4c  45 3e 3c 53  50 41 4e 20   </TABLE><SPAN 
69 64 3d 22  73 70 6e 4c  61 74 65 73  74 4e 65 77 id="spnLatestNew
73 22 20 73  74 79 6c 65  3d 22 76 69  73 69 62 69 s" style="visibi
6c 69 74 79  3a 76 69 73  69 62 6c 65  22 3e 20 3c lity:visible"> <
74 61 62 6c  65 20 77 69  64 74 68 3d  22 31 30 30 table width="100
25 22 20 62  6f 72 64 65  72 3d 22 30  22 20 63 65 %" border="0" ce
6c 6c 73 70  61 63 69 6e  67 3d 22 30  22 20 63 65 llspacing="0" ce
6c 6c 70 61  64 64 69 6e  67 3d 22 30  22 3e 20 20 llpadding="0">  
3c 54 52 3e  20 20 20 20  3c 54 44 20  63 6f 6c 73 <TR>    <TD cols
70 61 6e 3d  22 33 22 20  63 6c 61 73  73 3d 22 6e pan="3" class="n
61 76 42 61  73 6b 65 74  53 65 70 32  22 3e 3c 2f avBasketSep2"></
54 44 3e 20  20 3c 2f 54  52 3e 20 20  3c 74 72 3e TD>  </TR>  <tr>
20 20 20 20  3c 74 64 20  61 6c 69 67  6e 3d 22 72     <td align="r
69 67 68 74  22 3e 3c 69  6d 67 20 73  72 63 3d 22 ight"><img src="
2f 69 6d 61  67 65 73 2f  6c 74 31 61  2e 67 69 66 /images/lt1a.gif
22 20 77 69  64 74 68 3d  22 35 22 20  68 65 69 67 " width="5" heig
68 74 3d 22  35 22 3e 3c  2f 74 64 3e  20 20 20 3c ht="5"></td>   <
74 64 20 62  61 63 6b 67  72 6f 75 6e  64 3d 22 2f td background="/
69 6d 61 67  65 73 2f 6c  74 31 62 2e  67 69 66 22 images/lt1b.gif"
3e 3c 2f 74  64 3e 20 20  20 3c 74 64  3e 3c 69 6d ></td>   <td><im
67 20 73 72  63 3d 22 2f  69 6d 61 67  65 73 2f 6c g src="/images/l
74 31 63 2e  67 69 66 22  20 77 69 64  74 68 3d 22 t1c.gif" width="
35 22 20 68  65 69 67 68  74 3d 22 35  22 3e 3c 2f 5" height="5"></
74 64 3e 20  20 3c 2f 74  72 3e 20 20  3c 74 72 3e td>  </tr>  <tr>
20 20 20 20  3c 74 64 20  62 61 63 6b  67 72 6f 75     <td backgrou
6e 64 3d 22  2f 69 6d 61  67 65 73 2f  6c 74 32 61 nd="/images/lt2a
2e 67 69 66  22 3e 3c 2f  74 64 3e 20  20 20 3c 74 .gif"></td>   <t
64 3e 20 20  20 20 3c 74  61 62 6c 65  20 77 69 64 d>    <table wid
74 68 3d 22  31 32 35 22  20 62 6f 72  64 65 72 3d th="125" border=
22 30 22 20  63 65 6c 6c  70 61 64 64  69 6e 67 3d "0" cellpadding=
22 31 22 20  63 65 6c 6c  73 70 61 63  69 6e 67 3d "1" cellspacing=
22 30 22 20  63 6c 61 73  73 3d 22 6e  61 76 42 61 "0" class="navBa
73 6b 65 74  42 47 22 3e  20 20 20 20  20 3c 74 72 sketBG">     <tr
3e 20 20 20  20 20 20 20  3c 74 64 3e  20 20 20 20 >       <td>    
20 20 20 3c  74 61 62 6c  65 20 77 69  64 74 68 3d    <table width=
22 31 30 30  25 22 20 62  6f 72 64 65  72 3d 22 30 "100%" border="0
22 20 63 65  6c 6c 73 70  61 63 69 6e  67 3d 22 30 " cellspacing="0
22 20 63 65  6c 6c 70 61  64 64 69 6e  67 3d 22 30 " cellpadding="0
22 3e 20 20  20 20 20 20  20 20 3c 74  72 20 76 61 ">        <tr va
6c 69 67 6e  3d 22 74 6f  70 22 3e 20  20 20 20 20 lign="top">     
20 20 20 20  20 3c 74 64  20 63 6c 61  73 73 3d 22      <td class="
72 65 67 54  65 78 74 22  3e 3c 42 3e  42 45 4e 51 regText"><B>BENQ
3c 2f 42 3e  20 2d 20 42  65 6e 51 20  44 57 31 36 </B> - BenQ DW16
30 30 20 57  69 6e 73 20  54 6f 6d 27  73 20 48 61 00 Wins Tom's Ha
72 64 77 61  72 65 20 47  75 69 64 65  20 45 64 69 rdware Guide Edi
74 6f 72 27  73 20 43 68  6f 69 63 65  26 6e 62 73 tor's Choice&nbs
70 3b 3c 41  20 68 72 65  66 3d 22 6a  61 76 61 73 p;<A href="javas
63 72 69 70  74 3a 4f 70  65 6e 4e 65  77 73 57 69 cript:OpenNewsWi
6e 64 6f 77  28 27 68 74  74 70 3a 2f  2f 77 77 77 ndow('http://www
2e 73 63 61  6e 2e 63 6f  2e 75 6b 2f  4e 65 77 73 .scan.co.uk/News
2f 4e 65 77  73 41 72 74  69 63 6c 65  2e 41 53 50 /NewsArticle.ASP
3f 41 72 74  69 63 6c 65  49 44 3d 32  35 34 27 2c ?ArticleID=254',
34 35 30 2c  20 34 30 30  29 3b 22 20  63 6c 61 73 450, 400);" clas
73 3d 22 6e  61 76 42 61  73 6b 65 74  6c 69 6e 6b s="navBasketlink
22 3e 6d 6f  72 65 3c 2f  41 3e 20 20  20 20 20 20 ">more</A>      
20 20 20 3c  2f 74 64 3e  20 20 20 20  20 20 20 20    </td>        
3c 2f 74 72  3e 20 20 20  20 20 20 20  20 3c 74 72 </tr>        <tr
20 76 61 6c  69 67 6e 3d  22 74 6f 70  22 3e 20 20  valign="top">  
20 20 20 20  20 20 20 3c  74 64 20 63  6c 61 73 73        <td class
3d 22 52 56  73 65 70 32  22 3e 3c 2f  74 64 3e 20 ="RVsep2"></td> 
20 20 20 20  20 20 20 3c  2f 74 72 3e  20 20 20 20        </tr>    
20 20 20 20  3c 74 72 20  76 61 6c 69  67 6e 3d 22     <tr valign="
74 6f 70 22  3e 20 20 20  20 20 20 20  20 20 20 3c top">          <
74 64 20 63  6c 61 73 73  3d 22 52 56  73 65 70 22 td class="RVsep"
3e 3c 2f 74  64 3e 20 20  20 20 20 20  20 20 3c 2f ></td>        </
74 72 3e 20  20 20 20 20  20 20 20 3c  74 72 20 76 tr>        <tr v
61 6c 69 67  6e 3d 22 74                           align="t        

Payload ASCII only Dump
<TD class="navBasketTitle">Latest news</TD> <TD width
="23"><a href="Javascript://" onclick="showhidemenu(document.all.spnLatest
News, document.all.imgLatestNews, 'ShowLatestNews')"><img src="/images/nav
_bar_u.png" id="imgLatestNews" border="0" width="23" height="24"></a>&l
t;/TD> </TR> </TABLE><SPAN id="spnLatestNews" styl
e="visibility:visible"> <table width="100%" border="0" cellspacing="0" cel
lpadding="0"> <TR> <TD colspan="3" class="navBasketSep2"><
/TD> </TR> <tr> <td align="right"><img src="/images
/lt1a.gif" width="5" height="5"></td> <td background="/images/lt1b
.gif"></td> <td><img src="/images/lt1c.gif" width="5" height
="5"></td> </tr> <tr> <td background="/images/lt2a.
gif"></td> <td> <table width="125" border="0" cellpadding
="1" cellspacing="0" class="navBasketBG"> <tr> <td> 
 <table width="100%" border="0" cellspacing="0" cellpadding="0"> 
<tr valign="top"> <td class="regText"><B>BENQ</B&g
t; - BenQ DW1600 Wins Tom's Hardware Guide Editor's Choice <A href="java
script:OpenNewsWindow('http://www.scan.co.uk/News/NewsArticle.ASP?ArticleID=254'
,450, 400);" class="navBasketlink">more</A> </td> 
</tr> <tr valign="top"> <td class="RVsep2"><
/td> </tr> <tr valign="top"> <td class=
"RVsep"></td> </tr> <tr valign="t

Ethernet header
0:0:0:0:5:6e -> 0:a0:c9:5a:de:4f [ether_type=ip (2048)]

 Source : 00:00:00-00:05:6E
 Target : 00:A0:C9-5A:DE:4F
 Upper Layer (3/Transport) Protocol : 2048 (ip)
--
Affected Systems:
N/A
--
Attack Scenarios:
N/A
--
Ease of Attack:
N/A
--
False Positives:
See above
--
False Negatives:
N/A
--
Corrective Action:
unknown
--
Contributors:
Colin Tinker g1gsw at ...2705...
-- 
Additional References:

Regards

Colin
-- 
In a world without walls, why do we need Windows and Gates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040804/f6846bbb/attachment.sig>


More information about the Snort-sigs mailing list