[Snort-sigs] a few more rules FALSE POS

Adrian Marsden amarsden at ...2045...
Wed Jul 21 12:09:03 EDT 2004


The Hotmail LINK CSS Vulnerability creates FPs when connecting to
www.dell.com at 143.166.83.231.

The offending packet follows:-

4E 54 3D 22 74 65 78 74 2F 68 74 6D 6C 3B 20 63   NT="text/html; c
68 61 72 73 65 74 3D 75 74 66 2D 38 22 3E 0D 0A   harset=utf-8">.
09 3C 4C 49 4E 4B 20 52 45 4C 3D 22 53 54 59 4C   .<LINK REL="STYL
45 53 48 45 45 54 22 20 54 59 50 45 3D 22 74 65   ESHEET" TYPE="te
78 74 2F 63 73 73 22 20 48 52 45 46 3D 22 63 73   xt/css" HREF="cs
73 2E 68 74 6D 22 3E 0D 0A 09 3C 53 43 52 49 50   s.htm">..<SCRIP
54 20 4C 41 4E 47 55 41 47 45 3D 22 4A 61 76 61   T LANGUAGE="Java
53 63 72 69 70 74 22 20 53 52 43 3D 22 68 74 74   Script" SRC="htt
70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63 6F 6D   p://www.dell.com
2F 6A 73 2F 6D 6F 6E 74 61 67 65 2E 6A 73 22 3E   /js/montage.js">
3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43 52   </SCRIPT>..<SCR
49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 6A 61   IPT LANGUAGE="ja
76 61 73 63 72 69 70 74 22 20 53 52 43 3D 22 68   vascript" SRC="h
74 74 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63   ttp://www.dell.c
6F 6D 2F 6A 73 2F 68 6F 6D 65 33 32 2E 6A 73 22   om/js/home32.js"
3E 3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43   ></SCRIPT>..<SC
52 49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 4A   RIPT LANGUAGE="J
61 76 61 53 63 72 69 70 74 22 20 53 52 43 3D 22   avaScript" SRC="
6D 65 6E 75 2E 68 74 6D 22 3E 3C 2F 53 43 52 49   menu.htm"></SCRI
50 54 3E 0D 0A 0D 0A 09 3C 4C 49 4E 4B 20 52 45   PT>...<LINK RE
4C 3D 22 53 48 4F 52 54 43 55 54 20 49 43 4F 4E   L="SHORTCUT ICON
22 20 48 52 45 46 3D 22 68 74 74 70 3A 2F 2F 69   " HREF="http://i
6D 67 2E 64 65 6C 6C 2E 63 6F 6D 2F 69 6D 61 67   mg.dell.com/imag
65 73 2F 67 6C 6F 62 61 6C 2F 62 72 61 6E 64 69   es/global/brandi
6E 67 2F 64 65 6C 6C 65 63 6F 6D 69 63 6F 6E 2E   ng/dellecomicon.
69 63 6F 22 3E 3C 2F 68 65 61 64 3E 0D 0A 3C 62   ico"></head>.<b
6F 64 79 20 69 64 3D 22 62 6F 64 79 54 61 67 22   ody id="bodyTag"
20 62 67 63 6F 6C 6F 72 3D 22 23 66 66 66 66 66    bgcolor="#fffff
66 22 3E 0D 0A 3C 73 63 72 69 70 74 20 74 79 70   f">.<script typ
65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69   e="text/javascri
70 74 22 20 6C 61 6E 67 75 61 67 65 3D 22 4A 61   pt" language="Ja
76 61 53 63 72 69 70 74 22 3E 0D 0A 76 61 72 20   vaScript">.var 
6D 5F 69 6D 67 50 66 78 20 3D 20 22 68 74 74 70   m_imgPfx = "http
3A 2F 2F 69 6D 67 2E 64 65 6C 6C 2E 63 6F 6D 22   ://img.dell.com"
3B 0D 0A 76 61 72 20 6D 5F 69 6D 67 50 66 78 20   ;.var m_imgPfx 
3D 20 22 68 74 74 70 3A 2F 2F 69 6D 67 2E 64 65   = "http://img.de
6C 6C 2E 63 6F 6D 22 3B 0D 0A 61 64 64 50 6E 4C   ll.com";.addPnL
69 6E 6B 28 20 22 4D 79 20 41 63 63 6F 75 6E 74   ink( "My Account
22 2C 20 22 68 74 74 70 3A 2F 2F 6D 65 6D 62 65   ", "http://membe
72 73 68 69 70 2E 64 65 6C 6C 2E 63 6F 6D 2F 64   rship.dell.com/d
65 6C 6C 70 6F 72 74 61 6C 2F 73 69 67 6E 69 6E   ellportal/signin
2E 61 73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26   .aspx?c=us&l=en&
73 3D 64 68 73 22 2C 20 22 70 72 6F 66 69 6C 65   s=dhs", "profile
22 20 29 3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28   " );.addPnLink(
20 22 50 72 65 6D 69 65 72 20 4C 6F 67 69 6E 22    "Premier Login"
2C 20 22 68 74 74 70 73 3A 2F 2F 73 69 67 6E 69   , "https://signi
6E 2E 64 65 6C 6C 2E 63 6F 6D 2F 70 72 65 6D 69   n.dell.com/premi
65 72 2F 70 6F 72 74 61 6C 2F 6C 6F 67 69 6E 2E   er/portal/login.
61 73 70 78 22 2C 20 22 6C 6F 67 69 6E 22 20 29   aspx", "login" )
3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D   ;.addPnLink( "M
79 20 43 61 72 74 22 2C 20 22 68 74 74 70 3A 2F   y Cart", "http:/
2F 65 63 6F 6D 6D 2E 64 65 6C 6C 2E 63 6F 6D 2F   /ecomm.dell.com/
64 65 6C 6C 73 74 6F 72 65 2F 62 61 73 6B 65 74   dellstore/basket
2E 61 73 70 78 22 2C 20 22 63 61 72 74 22 20 29   .aspx", "cart" )
3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D   ;.addPnLink( "M
79 20 4F 72 64 65 72 20 53 74 61 74 75 73 22 2C   y Order Status",
20 22 68 74 74 70 3A 2F 2F 73 75 70 70 6F 72 74    "http://support
2E 64 65 6C 6C 2E 63 6F 6D 2F 73 75 70 70 6F 72   .dell.com/suppor
74 2F 6F 72 64 65 72 2F 73 74 61 74 75 73 2E 61   t/order/status.a
73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26 73 3D   spx?c=us&l=en&s=
67 65 6E 22 2C 20 22 6F 72 64 65 72 73 74 61 74   gen", "orderstat
75 73 22 20 29 3B 0D 0A 6D 5F 69 73 48 6F 6D 65   us" );.m_isHome
20 3D 20 74 72 75 65 3B 0D 0A 6D 5F 73 65 67 6C    = true;.m_segl
69 6E 6B 20 3D 20 6E 75 6C 6C 3B 0D 0A 77 72 69   ink = null;.wri
74 65 4D 48 28 20 22 42 75 79 20 4F 6E 6C 69 6E   teMH( "Buy Onlin
65 20 6F 72 20 43 61 6C 6C 22 2C 20 22 31 2D 38   e or Call", "1-8
30 30 2D 57 57 57 2D 44 45 4C 4C 22 2C 20 6E 75   00-WWW-DELL", nu
6C 6C 2C 20 6E 75 6C 6C 2C 20 74 72 75 65 2C 20   ll, null, true, 
74 72 75 65 2C 20 6E 75 6C 6C 20 29 3B 0D 0A 3C   true, null );.<
2F 73 63 72 69 70 74 3E 0D 0A 3C 6E 6F 73 63 72   /script>.<noscr
69 70 74 3E 0D 0A 3C 64 69 76 20 63 6C 61 73 73   ipt>.<div class
3D 22 70 61 72 61 5F 73 6D 61 6C 6C 22 20 73 74   ="para_small" st
79 6C 65 3D 22 70 61 64 64 69 6E 67 2D 62 6F 74   yle="padding-bot
74 6F 6D 3A 34 70 78 22 3E 26 6E 62 73 70 3B 26   tom:4px"> &
6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70   nbsp;  
3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 3C 61 20   ;  <a 
68 72 65 66 3D 22 68 74 74 70 3A 2F 2F 77 77 77   href="http://www
31 2E 75 73 2E 64 65 6C 6C 2E 63 6F 6D 2F 63 6F   1.us.dell.com/co
6E 74 65 6E 74 2F 70 75 62 6C 69 63 2F 63 68 6F   ntent/public/cho
6F 73 65 63 6F 75 6E 74 72 79 2E 61 73 70 78 3F   osecountry.aspx?
63 3D 75 73 26 6C 3D 65 6E 26 73 3D 67 65 6E 22   c=us&l=en&s=gen"
3E 43 68 6F 6F 73 65 20 41 20 43 6F 75 6E 74 72   >Choose A Countr
79 2F 52 65 67 69 6F 6E 3C 2F 61 3E 26 6E 62 73   y/Region</a>&nbs
70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E   p;  &n
62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B   bsp;  
3C 73 70 61 6E 20 63 6C 61 73 73 3D 22 63 72 75   <span class="cru
6D 62 73 65 6C 22 3E 45 6E 67 6C 69 73 68 3C 2F   mbsel">English</
73 70 61 6E 3E 3C 2F 64 69 76 3E 0D 0A 3C 74 61   span></div>.<ta
62 6C 65 20 63 65 6C 6C 70 61 64 64 69 6E 67 3D   ble cellpadding=
22 30 22 20 63 65 6C 6C 73 70 61 63 69 6E 67 3D   "0" cellspacing=
22 30 22 20 62 6F 72 64 65 72 3D 22 30 22 20 77   "0" border="0" w
69 64 74 68                                       idth

-----Original Message-----
From: Joseph Gama [mailto:josephgama at ...144...] 
Sent: Monday, July 19, 2004 11:01 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] a few more rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Hotmail LINK CSS Vulnerability"; content:"<";
content:"LINK"; content:"REL"; content:"="; 

content:"STYLESHEET"; content:"TYPE"; content:"=";
content:"text/javascript"; content:"SRC"; content:"=";
content:".js"; content:">"; reference:url, 

www.securiteam.com/securitynews/5YP0M1555A.html;
classtype:attempted-recon; sid:10084; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
(msg:"Remote desktop connection attempt"; dsize:0;
ack:0; window:64240; flags:S; flow:stateless;
reference:url, 

www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
classtype:attempted-recon; sid:99999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
(msg:"Remote desktop connection active"; dsize:>7;
content:"|03 00|"; depth:2; reference:url, 

www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
classtype:attempted-recon; sid:99999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Adobe Acrobat Reader PDF possible buffer
overflow"; content:"application\/vnd.adobe.xfdf";
reference:url, 

www.securityfocus.com/bid/9802;
classtype:attempted-user; sid:99999; rev:1;)


	
		
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list