[Snort-sigs] IE exploits

Joseph Gama josephgama at ...144...
Fri Aug 13 16:03:21 EDT 2004


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"HTTP traffic redirection"; content:"GET /
HTTP/"; offset:0; depth:11; classtype:misc-activity;
sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Cookie theft";
pcre:"/http\:\/\/[\S]*\.(asp|php|pl|cgi)\?[\s\S]*\+document\.cookie/i";
classtype:misc-activity; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Internet Explorer Remote Null Pointer Crash";
pcre:"/href[\s]*=[\s]*['"]*\:\:\{/i";
reference:url,http.www.securiteam.com/windowsntfocus/5IP020KDPU.html;
classtype:misc-activity; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Similar Method Name Redirection Vulnerability
with alert"; content:"window.open";
pcre:"/j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*\:/Ri";
content:"alert"; content:"location.assign";
pcre:"/j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*\:/Ri";
pcre:"/[\w]\.location\.assign[\s]*=[\s]*location\.assign/Ri";
content:"location.href";
reference:url,http.freehost07.websamba.com/greyhats/similarmethodnameredir.htm;
classtype:misc-activity; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Similar Method Name Redirection Vulnerability
with try/catch"; content:"window.open";
pcre:"/j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*\:/Ri";
pcre:"/setInterval[\s\S]*try[\s]*\{[\s\S]*/Ri";
pcre:"/var[\s]+[\w]+=[\s]*opener\.location\.href[\s\S]+catch[\s]*\(/Ri";
pcre:"/j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*\:/Ri";
pcre:"/[\w]\.location\.assign[\s]*=[\s]*location\.assign/Ri";
content:"location.href";
reference:url,http.freehost07.websamba.com/greyhats/similarmethodnameredir.htm;
classtype:misc-activity; sid:2000000; rev:1;)


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list