[Snort-sigs] a few more rules FALSE POS

Joseph Gama josephgama at ...144...
Wed Jul 21 13:52:04 EDT 2004


alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Hotmail LINK CSS Vulnerability"; pcre:"/<[
\t]*(LINK)[ \t]+(REL)[ \t]*(=)[ \t]*(STYLESHEET)[
\t]+(TYPE)[ \t]*(=)[ \t]*(")[ \t]*(text/javascript)[
\t]*(")[ \t]+(SRC)[ \t]*(=)/i"; reference:url,
www.securiteam.com/securitynews/5YP0M1555A.html;
classtype:attempted-recon; sid:10084; rev:1;)

--- Adrian Marsden <amarsden at ...2045...> wrote:
> The Hotmail LINK CSS Vulnerability creates FPs when
> connecting to
> www.dell.com at 143.166.83.231.
> 
> The offending packet follows:-
> 
> 4E 54 3D 22 74 65 78 74 2F 68 74 6D 6C 3B 20 63  
> NT="text/html; c
> 68 61 72 73 65 74 3D 75 74 66 2D 38 22 3E 0D 0A  
> harset=utf-8">.
> 09 3C 4C 49 4E 4B 20 52 45 4C 3D 22 53 54 59 4C  
> .<LINK REL="STYL
> 45 53 48 45 45 54 22 20 54 59 50 45 3D 22 74 65  
> ESHEET" TYPE="te
> 78 74 2F 63 73 73 22 20 48 52 45 46 3D 22 63 73  
> xt/css" HREF="cs
> 73 2E 68 74 6D 22 3E 0D 0A 09 3C 53 43 52 49 50  
> s.htm">..<SCRIP
> 54 20 4C 41 4E 47 55 41 47 45 3D 22 4A 61 76 61   T
> LANGUAGE="Java
> 53 63 72 69 70 74 22 20 53 52 43 3D 22 68 74 74  
> Script" SRC="htt
> 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63 6F 6D  
> p://www.dell.com
> 2F 6A 73 2F 6D 6F 6E 74 61 67 65 2E 6A 73 22 3E  
> /js/montage.js">
> 3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43 52  
> </SCRIPT>..<SCR
> 49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 6A 61  
> IPT LANGUAGE="ja
> 76 61 73 63 72 69 70 74 22 20 53 52 43 3D 22 68  
> vascript" SRC="h
> 74 74 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63  
> ttp://www.dell.c
> 6F 6D 2F 6A 73 2F 68 6F 6D 65 33 32 2E 6A 73 22  
> om/js/home32.js"
> 3E 3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43  
> ></SCRIPT>..<SC
> 52 49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 4A  
> RIPT LANGUAGE="J
> 61 76 61 53 63 72 69 70 74 22 20 53 52 43 3D 22  
> avaScript" SRC="
> 6D 65 6E 75 2E 68 74 6D 22 3E 3C 2F 53 43 52 49  
> menu.htm"></SCRI
> 50 54 3E 0D 0A 0D 0A 09 3C 4C 49 4E 4B 20 52 45  
> PT>...<LINK RE
> 4C 3D 22 53 48 4F 52 54 43 55 54 20 49 43 4F 4E  
> L="SHORTCUT ICON
> 22 20 48 52 45 46 3D 22 68 74 74 70 3A 2F 2F 69   "
> HREF="http://i
> 6D 67 2E 64 65 6C 6C 2E 63 6F 6D 2F 69 6D 61 67  
> mg.dell.com/imag
> 65 73 2F 67 6C 6F 62 61 6C 2F 62 72 61 6E 64 69  
> es/global/brandi
> 6E 67 2F 64 65 6C 6C 65 63 6F 6D 69 63 6F 6E 2E  
> ng/dellecomicon.
> 69 63 6F 22 3E 3C 2F 68 65 61 64 3E 0D 0A 3C 62  
> ico"></head>.<b
> 6F 64 79 20 69 64 3D 22 62 6F 64 79 54 61 67 22  
> ody id="bodyTag"
> 20 62 67 63 6F 6C 6F 72 3D 22 23 66 66 66 66 66   
> bgcolor="#fffff
> 66 22 3E 0D 0A 3C 73 63 72 69 70 74 20 74 79 70  
> f">.<script typ
> 65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69  
> e="text/javascri
> 70 74 22 20 6C 61 6E 67 75 61 67 65 3D 22 4A 61  
> pt" language="Ja
> 76 61 53 63 72 69 70 74 22 3E 0D 0A 76 61 72 20  
> vaScript">.var 
> 6D 5F 69 6D 67 50 66 78 20 3D 20 22 68 74 74 70  
> m_imgPfx = "http
> 3A 2F 2F 69 6D 67 2E 64 65 6C 6C 2E 63 6F 6D 22  
> ://img.dell.com"
> 3B 0D 0A 76 61 72 20 6D 5F 69 6D 67 50 66 78 20  
> ;.var m_imgPfx 
> 3D 20 22 68 74 74 70 3A 2F 2F 69 6D 67 2E 64 65   =
> "http://img.de
> 6C 6C 2E 63 6F 6D 22 3B 0D 0A 61 64 64 50 6E 4C  
> ll.com";.addPnL
> 69 6E 6B 28 20 22 4D 79 20 41 63 63 6F 75 6E 74  
> ink( "My Account
> 22 2C 20 22 68 74 74 70 3A 2F 2F 6D 65 6D 62 65   ",
> "http://membe
> 72 73 68 69 70 2E 64 65 6C 6C 2E 63 6F 6D 2F 64  
> rship.dell.com/d
> 65 6C 6C 70 6F 72 74 61 6C 2F 73 69 67 6E 69 6E  
> ellportal/signin
> 2E 61 73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26  
> .aspx?c=us&l=en&
> 73 3D 64 68 73 22 2C 20 22 70 72 6F 66 69 6C 65  
> s=dhs", "profile
> 22 20 29 3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28   "
> );.addPnLink(
> 20 22 50 72 65 6D 69 65 72 20 4C 6F 67 69 6E 22   
> "Premier Login"
> 2C 20 22 68 74 74 70 73 3A 2F 2F 73 69 67 6E 69   ,
> "https://signi
> 6E 2E 64 65 6C 6C 2E 63 6F 6D 2F 70 72 65 6D 69  
> n.dell.com/premi
> 65 72 2F 70 6F 72 74 61 6C 2F 6C 6F 67 69 6E 2E  
> er/portal/login.
> 61 73 70 78 22 2C 20 22 6C 6F 67 69 6E 22 20 29  
> aspx", "login" )
> 3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D  
> ;.addPnLink( "M
> 79 20 43 61 72 74 22 2C 20 22 68 74 74 70 3A 2F   y
> Cart", "http:/
> 2F 65 63 6F 6D 6D 2E 64 65 6C 6C 2E 63 6F 6D 2F  
> /ecomm.dell.com/
> 64 65 6C 6C 73 74 6F 72 65 2F 62 61 73 6B 65 74  
> dellstore/basket
> 2E 61 73 70 78 22 2C 20 22 63 61 72 74 22 20 29  
> .aspx", "cart" )
> 3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D  
> ;.addPnLink( "M
> 79 20 4F 72 64 65 72 20 53 74 61 74 75 73 22 2C   y
> Order Status",
> 20 22 68 74 74 70 3A 2F 2F 73 75 70 70 6F 72 74   
> "http://support
> 2E 64 65 6C 6C 2E 63 6F 6D 2F 73 75 70 70 6F 72  
> .dell.com/suppor
> 74 2F 6F 72 64 65 72 2F 73 74 61 74 75 73 2E 61  
> t/order/status.a
> 73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26 73 3D  
> spx?c=us&l=en&s=
> 67 65 6E 22 2C 20 22 6F 72 64 65 72 73 74 61 74  
> gen", "orderstat
> 75 73 22 20 29 3B 0D 0A 6D 5F 69 73 48 6F 6D 65  
> us" );.m_isHome
> 20 3D 20 74 72 75 65 3B 0D 0A 6D 5F 73 65 67 6C    =
> true;.m_segl
> 69 6E 6B 20 3D 20 6E 75 6C 6C 3B 0D 0A 77 72 69  
> ink = null;.wri
> 74 65 4D 48 28 20 22 42 75 79 20 4F 6E 6C 69 6E  
> teMH( "Buy Onlin
> 65 20 6F 72 20 43 61 6C 6C 22 2C 20 22 31 2D 38   e
> or Call", "1-8
> 30 30 2D 57 57 57 2D 44 45 4C 4C 22 2C 20 6E 75  
> 00-WWW-DELL", nu
> 6C 6C 2C 20 6E 75 6C 6C 2C 20 74 72 75 65 2C 20  
> ll, null, true, 
> 74 72 75 65 2C 20 6E 75 6C 6C 20 29 3B 0D 0A 3C  
> true, null );.<
> 2F 73 63 72 69 70 74 3E 0D 0A 3C 6E 6F 73 63 72  
> /script>.<noscr
> 69 70 74 3E 0D 0A 3C 64 69 76 20 63 6C 61 73 73  
> ipt>.<div class
> 3D 22 70 61 72 61 5F 73 6D 61 6C 6C 22 20 73 74  
> ="para_small" st
> 79 6C 65 3D 22 70 61 64 64 69 6E 67 2D 62 6F 74  
> yle="padding-bot
> 74 6F 6D 3A 34 70 78 22 3E 26 6E 62 73 70 3B 26  
> tom:4px"> &
> 6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70  
> nbsp;  
> 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 3C 61 20   ; 
> <a 
> 68 72 65 66 3D 22 68 74 74 70 3A 2F 2F 77 77 77  
> href="http://www
> 31 2E 75 73 2E 64 65 6C 6C 2E 63 6F 6D 2F 63 6F  
> 1.us.dell.com/co
> 6E 74 65 6E 74 2F 70 75 62 6C 69 63 2F 63 68 6F  
> ntent/public/cho
> 6F 73 65 63 6F 75 6E 74 72 79 2E 61 73 70 78 3F  
> osecountry.aspx?
> 63 3D 75 73 26 6C 3D 65 6E 26 73 3D 67 65 6E 22  
> c=us&l=en&s=gen"
> 3E 43 68 6F 6F 73 65 20 41 20 43 6F 75 6E 74 72  
> >Choose A Countr
> 79 2F 52 65 67 69 6F 6E 3C 2F 61 3E 26 6E 62 73  
> y/Region</a>&nbs
> 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E   p;
>  &n
> 62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B  
> bsp;  
> 3C 73 70 61 6E 20 63 6C 61 73 73 3D 22 63 72 75  
> <span class="cru
> 6D 62 73 65 6C 22 3E 45 6E 67 6C 69 73 68 3C 2F  
> mbsel">English</
> 73 70 61 6E 3E 3C 2F 64 69 76 3E 0D 0A 3C 74 61  
> span></div>.<ta
> 62 6C 65 20 63 65 6C 6C 70 61 64 64 69 6E 67 3D  
> ble cellpadding=
> 22 30 22 20 63 65 6C 6C 73 70 61 63 69 6E 67 3D  
> "0" cellspacing=
> 22 30 22 20 62 6F 72 64 65 72 3D 22 30 22 20 77  
> "0" border="0" w
> 69 64 74 68                                      
> idth
> 
> -----Original Message-----
> From: Joseph Gama [mailto:josephgama at ...144...] 
> Sent: Monday, July 19, 2004 11:01 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] a few more rules
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"Hotmail LINK CSS Vulnerability"; content:"<";
> content:"LINK"; content:"REL"; content:"="; 
> 
> content:"STYLESHEET"; content:"TYPE"; content:"=";
> content:"text/javascript"; content:"SRC";
> content:"=";
> content:".js"; content:">"; reference:url, 
> 
> www.securiteam.com/securitynews/5YP0M1555A.html;
> classtype:attempted-recon; sid:10084; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
> (msg:"Remote desktop connection attempt"; dsize:0;
> ack:0; window:64240; flags:S; flow:stateless;
> reference:url, 
> 
>
www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
> classtype:attempted-recon; sid:99999; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
> (msg:"Remote desktop connection active"; dsize:>7;
> content:"|03 00|"; depth:2; reference:url, 
> 
>
www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
> classtype:attempted-recon; sid:99999; rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET any
> (msg:"Adobe Acrobat Reader PDF possible buffer
> overflow"; content:"application\/vnd.adobe.xfdf";
> reference:url, 
> 
> www.securityfocus.com/bid/9802;
> classtype:attempted-user; sid:99999; rev:1;)
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> Vote for the stars of Yahoo!'s next ad campaign!
>
http://advision.webevents.yahoo.com/yahoo/votelifeengine/
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic
> Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1
> today.
>
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
>
-------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic
> Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1
> today.
> http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list