[Snort-sigs] Re: Snort-sigs digest, Vol 1 #1022 - 9 msgs

Todd Smith tsmith at ...2656...
Wed Jul 21 14:16:11 EDT 2004


snort-sigs-request at lists.sourceforge.net wrote:

>Send Snort-sigs mailing list submissions to
>	snort-sigs at lists.sourceforge.net
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	https://lists.sourceforge.net/lists/listinfo/snort-sigs
>or, via email, send a message with subject or body 'help' to
>	snort-sigs-request at lists.sourceforge.net
>
>You can reach the person managing the list at
>	snort-sigs-admin at lists.sourceforge.net
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Snort-sigs digest..."
>
>
>Today's Topics:
>
>   1. Traffic parsing order (Cluett, Russell)
>   2. new rules for Kcast ticker (Miner, Jonathan W (CSC) (US SSA))
>   3. Re: new rules for Kcast ticker (Matthew Jonkman)
>   4. Re: rules to detect possible threats by the dll's called,
>       Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow (Matthew Jonkman)
>   5. sid:2578 sid 2579 (Mark)
>   6. Re: rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow (Joseph Gama)
>   7. RE: a few more rules FALSE POS (Adrian Marsden)
>   8. RE: a few more rules FALSE POS - fixed (Joseph Gama)
>
>--__--__--
>
>Message: 1
>From: "Cluett, Russell" <russell.cluett at ...2654...>
>To: snort-sigs at lists.sourceforge.net
>Date: Wed, 21 Jul 2004 07:48:33 -0400
>Subject: [Snort-sigs] Traffic parsing order
>
>I'm trying to figure out how to reduce load and am wondering about
>something. In the rule (below) traffic is parsed for a variety of things,
>first being source & destination & port, then the filename and finally if it
>is html or not. What I'm wondering is if the parsing order was changed to be
>source & destination & port , then move content:"\<html\>"; to be *before*
>filename, would it help speed up processing (assuming that not all port 25
>traffic is going to be html)? Example below ...
>
>#Submitted by Michael Sconzo
>alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
>Possible Bagle.AI Worm Outbound"; content:"filename=";
>pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|e
>xe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\
>MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/";
>content:"\<html\>"; sid:2000561; rev:5;)
>
>Change to:
>alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
>Possible Bagle.AI Worm Outbound"; content:"\<html\>"; content:"filename=";
>pcre:"m/(Dog|MP3|Doll|Garry|Fish|New_MP3_Player|Cat|Cool_MP3).(scr|cpl|zip|e
>xe|com)/"; pcre:"m/(fotogalary\ and\ Music|Animals|foto3\ and\
>MP3|fotoinfo|Screen\ and\ Music|Lovely\ animals|Predators|The\ snake)/";
>sid:2000561; rev:5;)
>
>My logic being that before parsing for the filename it can dismiss anything
>that is not html. Does that make sense?
>
>Thanks,
>Russ Cluett CISSP GCIH
>Senior Information Security Analyst
>Electronic Data Systems - EDS
>AVIEN Founding Member
>
>
>--__--__--
>
>Message: 2
>Date: Wed, 21 Jul 2004 09:03:50 -0400
>From: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner at ...2476...>
>To: <snort-sigs at lists.sourceforge.net>
>Subject: [Snort-sigs] new rules for Kcast ticker
>
>I have two new rules that catch the Kcast ticker, which is used to =
>monitor Gold and Silver prices.
>
>
>alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast =
>Ticker"; uricontent:"/pr/agtray.txt"; nocase; classtype: =
>policy-violation; sid:1000000; rev:1;)
>
>alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast =
>Ticker"; uricontent:"/pr/autray.txt"; nocase; classtype: =
>policy-violation; sid:1000001; rev:1;)
>
>The tool makes repeated requests, every 10 seconds, to the following =
>URLs. Each request returns 22 bytes of encoded data.
>
>GET http://kcast.kitco.com/pr/autray.txt HTTP/1.0
>GET http://kcast.kitco.com/pr/agtray.txt HTTP/1.0
>
>Details:
>
>http://kcast.kitco.com/
>
>
>--__--__--
>
>Message: 3
>Date: Wed, 21 Jul 2004 09:08:07 -0500
>From: Matthew Jonkman <matt at ...2436...>
>To: "Miner, Jonathan W (CSC) (US SSA)" <jonathan.w.miner at ...2476...>
>CC:  snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] new rules for Kcast ticker
>
>They're up on Bleedingsnort.com.  I called them Policy since the app 
>doesn't appear to have a malware or adware component, just an annoying 
>amount of traffic. :)
>
>Thanks Jonathan
>
>Matt
>
>Miner, Jonathan W (CSC) (US SSA) wrote:
>
>  
>
>>I have two new rules that catch the Kcast ticker, which is used to monitor Gold and Silver prices.
>>
>>
>>alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/agtray.txt"; nocase; classtype: policy-violation; sid:1000000; rev:1;)
>>
>>alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE KitCo Kcast Ticker"; uricontent:"/pr/autray.txt"; nocase; classtype: policy-violation; sid:1000001; rev:1;)
>>
>>The tool makes repeated requests, every 10 seconds, to the following URLs. Each request returns 22 bytes of encoded data.
>>
>>GET http://kcast.kitco.com/pr/autray.txt HTTP/1.0
>>GET http://kcast.kitco.com/pr/agtray.txt HTTP/1.0
>>
>>Details:
>>
>>http://kcast.kitco.com/
>>
>>
>>    
>>
>
>
>--__--__--
>
>Message: 4
>Date: Wed, 21 Jul 2004 09:59:49 -0500
>From: Matthew Jonkman <matt at ...2436...>
>To:  josephgama at ...144...
>CC:  snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] rules to detect possible threats by the dll's called,
> Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow
>
>Questions inline:
>
>Joseph Gama wrote:
>
>  
>
>>#(create packets-DOS, tunneling, etc)
>>#libnetnt.dll
>>#libnet.dll
>>#libdnet.dll
>>
>>#(read packets-sniffer, etc)
>>#wpcap.dll
>>#rpklib.dll
>>
>>#(all purpose, Trojan, RAT, etc)
>>#socket.dll
>>#ws2_32.dll
>>#wsock32.dll
>>#packet32.dll
>>#packet.dll
>>#iphlpapi.dll
>>#wininet.dll
>>
>>#(ShellCode, RAT)
>>#cmd.exe
>>#\cmd.exe
>>#explorer.exe
>>#shell32.dll
>>
>>#(DOS, ping)
>>#icmp.dll
>>
>>#local network(net send, enumerate)
>>#netapi32.dll 
>>
>>    
>>
>
>I'm concerned about falses on these. Backups, program downloads, 
>executing programs across the network, etc, would likely trip a number 
>of them.
>
>Have you been using them Joseph? How accurate are they? Anyone else 
>tried them?
>
>  
>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>>(msg:"Invalid fragment+TCP flags"; dsize:0; ack:0;
>>fragbits:!M; flags:!AP,12; window:2048;
>>reference:arachnids,162; classtype:bad-unknown;
>>sid:99999; rev:1;)
>>
>>    
>>
>Question for the sourcefire folks, is this type of packet not detected 
>by existing means? And is flags the way to annotate it, or should it be 
>something new? I understand flags is obsoloted, but can't find 
>documentation on a better way. Or is that just flags for flow?
>
>
>  
>
>>alert tcp any any -> any any (msg:"Adobe Acrobat
>>Reader XFDF possible buffer overflow";
>>content:"application/vnd.adobe.xfdf"; reference: url,
>>http.www.nextgenss.com/advisories/adobexfdf.txt;
>>classtype:bad-unknown; sid:99999; rev:1;)
>>
>>
>>    
>>
>And not to shoot down everything you did Joseph, :)  this is going to be 
>chuck full of falses. The filetype is legitmate, there's nothing to 
>differentiuate this from a false. And I know I hot these files quite a 
>bit (and are all legitimate). Is there something we can add to it to 
>identofy a malicious hit?
>
>Thanks for the work Joseph.
>
>Matt
>
>
>--__--__--
>
>Message: 5
>From: Mark <markmormartin at ...1934...>
>To: snort-sigs at lists.sourceforge.net
>Date: Wed, 21 Jul 2004 17:54:11 +0100
>Subject: [Snort-sigs] sid:2578 sid 2579
>
>Hi 
>I am after downloading 
>snortrules-snapshot-2_1.tar.gz from the snort.org site and in sid 2578
>and 2579 there is the ans1 keyword. From looking at the docs it appears
>this keyword is only added into the  2_2 code base. Is this correct ?
>Mark
>
>
>--__--__--
>
>Message: 6
>Date: Wed, 21 Jul 2004 11:48:45 -0700 (PDT)
>From: Joseph Gama <josephgama at ...144...>
>Reply-To: josephgama at ...144...
>Subject: Re: [Snort-sigs] rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow
>To: Matthew Jonkman <matt at ...2436...>
>Cc: snort-sigs at lists.sourceforge.net
>
>--- Matthew Jonkman <matt at ...2436...> wrote:
>  
>
>>Questions inline:
>>
>>Joseph Gama wrote:
>>
>>    
>>
>>>#(create packets-DOS, tunneling, etc)
>>>#libnetnt.dll
>>>#libnet.dll
>>>#libdnet.dll
>>>
>>>#(read packets-sniffer, etc)
>>>#wpcap.dll
>>>#rpklib.dll
>>>
>>>#(all purpose, Trojan, RAT, etc)
>>>#socket.dll
>>>#ws2_32.dll
>>>#wsock32.dll
>>>#packet32.dll
>>>#packet.dll
>>>#iphlpapi.dll
>>>#wininet.dll
>>>
>>>#(ShellCode, RAT)
>>>#cmd.exe
>>>#\cmd.exe
>>>#explorer.exe
>>>#shell32.dll
>>>
>>>#(DOS, ping)
>>>#icmp.dll
>>>
>>>#local network(net send, enumerate)
>>>#netapi32.dll 
>>>
>>>      
>>>
>
>Hi Matt, thank you for the feedback! :)
>
>  
>
>>I'm concerned about falses on these. Backups,
>>program downloads, 
>>executing programs across the network, etc, would
>>likely trip a number 
>>of them.
>>
>>Have you been using them Joseph? How accurate are
>>they? Anyone else 
>>tried them?
>>    
>>
>
>My tests are very limited, kind of academic...
>Executing programs across the network wouldn't trip
>them because they $EXTERNAL_NET any -> $HOME_NET any.
>I think that they should be more accurate than
>detecting file extensions. Some are very common with
>comm apps but others are at least very suspicious. How
>many legitimate apps call cmd.exe? wpcap.dll is
>usually in a sniffer, rpklib.dll is an excellent
>library mostly used by RAT's or worms but I have seen
>legitimate tools using it as well. When downloading a
>freeware text editor, screensaver or game you don't
>expect it to be able to connect to the internet,
>right? This is all very relative.
>
>  
>
>>>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>>>(msg:"Invalid fragment+TCP flags"; dsize:0; ack:0;
>>>fragbits:!M; flags:!AP,12; window:2048;
>>>reference:arachnids,162; classtype:bad-unknown;
>>>sid:99999; rev:1;)
>>>
>>>      
>>>
>>Question for the sourcefire folks, is this type of
>>packet not detected 
>>by existing means? And is flags the way to annotate
>>it, or should it be 
>>something new? I understand flags is obsoloted, but
>>can't find 
>>documentation on a better way. Or is that just flags
>>for flow?
>>    
>>
>
>Which flags are legal in a fragmented packet? How does
>it work in OS's other than Linux and Windows? This is
>a hot issue and it will create a long debate. Let's
>hear from the gurus.
>
>  
>
>>    
>>
>>>alert tcp any any -> any any (msg:"Adobe Acrobat
>>>Reader XFDF possible buffer overflow";
>>>content:"application/vnd.adobe.xfdf"; reference:
>>>      
>>>
>>url,
>>    
>>
>>>http.www.nextgenss.com/advisories/adobexfdf.txt;
>>>classtype:bad-unknown; sid:99999; rev:1;)
>>>
>>>
>>>      
>>>
>>And not to shoot down everything you did Joseph, :) 
>>this is going to be 
>>chuck full of falses. The filetype is legitmate,
>>there's nothing to 
>>differentiuate this from a false. And I know I hot
>>these files quite a 
>>bit (and are all legitimate). Is there something we
>>can add to it to 
>>identofy a malicious hit?
>>    
>>
>
>No problem! :)
>No, there is no way to identify malicious code. At
>least we can know when id such a file was downloaded.
>If you use application/vnd.adobe.xfdf with any file
>even binary ones, it will happen, that is why it is so
>dangerous.
>
>Actually I am surprised that no one has yet tried my
>rules for NETBIOS access. I thought they would be a
>good subject for discussion.
>
>Peace,
>
>Joseph
>
>  
>
>>Thanks for the work Joseph.
>>
>>Matt
>>
>>    
>>
>
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>Vote for the stars of Yahoo!'s next ad campaign!
>http://advision.webevents.yahoo.com/yahoo/votelifeengine/
>
>
>--__--__--
>
>Message: 7
>Subject: RE: [Snort-sigs] a few more rules FALSE POS
>Date: Wed, 21 Jul 2004 15:06:02 -0400
>From: "Adrian Marsden" <amarsden at ...2045...>
>To: <josephgama at ...144...>,
>	<snort-sigs at lists.sourceforge.net>
>
>The Hotmail LINK CSS Vulnerability creates FPs when connecting to
>www.dell.com at 143.166.83.231.
>
>The offending packet follows:-
>
>4E 54 3D 22 74 65 78 74 2F 68 74 6D 6C 3B 20 63   NT=3D"text/html; c
>68 61 72 73 65 74 3D 75 74 66 2D 38 22 3E 0D 0A   harset=3Dutf-8">.
>09 3C 4C 49 4E 4B 20 52 45 4C 3D 22 53 54 59 4C   .<LINK REL=3D"STYL
>45 53 48 45 45 54 22 20 54 59 50 45 3D 22 74 65   ESHEET" TYPE=3D"te
>78 74 2F 63 73 73 22 20 48 52 45 46 3D 22 63 73   xt/css" HREF=3D"cs
>73 2E 68 74 6D 22 3E 0D 0A 09 3C 53 43 52 49 50   s.htm">..<SCRIP
>54 20 4C 41 4E 47 55 41 47 45 3D 22 4A 61 76 61   T LANGUAGE=3D"Java
>53 63 72 69 70 74 22 20 53 52 43 3D 22 68 74 74   Script" SRC=3D"htt
>70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63 6F 6D   p://www.dell.com
>2F 6A 73 2F 6D 6F 6E 74 61 67 65 2E 6A 73 22 3E   /js/montage.js">
>3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43 52   </SCRIPT>..<SCR
>49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 6A 61   IPT LANGUAGE=3D"ja
>76 61 73 63 72 69 70 74 22 20 53 52 43 3D 22 68   vascript" SRC=3D"h
>74 74 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63   ttp://www.dell.c
>6F 6D 2F 6A 73 2F 68 6F 6D 65 33 32 2E 6A 73 22   om/js/home32.js"
>3E 3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43   ></SCRIPT>..<SC
>52 49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 4A   RIPT LANGUAGE=3D"J
>61 76 61 53 63 72 69 70 74 22 20 53 52 43 3D 22   avaScript" SRC=3D"
>6D 65 6E 75 2E 68 74 6D 22 3E 3C 2F 53 43 52 49   menu.htm"></SCRI
>50 54 3E 0D 0A 0D 0A 09 3C 4C 49 4E 4B 20 52 45   PT>...<LINK RE
>4C 3D 22 53 48 4F 52 54 43 55 54 20 49 43 4F 4E   L=3D"SHORTCUT ICON
>22 20 48 52 45 46 3D 22 68 74 74 70 3A 2F 2F 69   " HREF=3D"http://i
>6D 67 2E 64 65 6C 6C 2E 63 6F 6D 2F 69 6D 61 67   mg.dell.com/imag
>65 73 2F 67 6C 6F 62 61 6C 2F 62 72 61 6E 64 69   es/global/brandi
>6E 67 2F 64 65 6C 6C 65 63 6F 6D 69 63 6F 6E 2E   ng/dellecomicon.
>69 63 6F 22 3E 3C 2F 68 65 61 64 3E 0D 0A 3C 62   ico"></head>.<b
>6F 64 79 20 69 64 3D 22 62 6F 64 79 54 61 67 22   ody id=3D"bodyTag"
>20 62 67 63 6F 6C 6F 72 3D 22 23 66 66 66 66 66    bgcolor=3D"#fffff
>66 22 3E 0D 0A 3C 73 63 72 69 70 74 20 74 79 70   f">.<script typ
>65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69   e=3D"text/javascri
>70 74 22 20 6C 61 6E 67 75 61 67 65 3D 22 4A 61   pt" language=3D"Ja
>76 61 53 63 72 69 70 74 22 3E 0D 0A 76 61 72 20   vaScript">.var=20
>6D 5F 69 6D 67 50 66 78 20 3D 20 22 68 74 74 70   m_imgPfx =3D "http
>3A 2F 2F 69 6D 67 2E 64 65 6C 6C 2E 63 6F 6D 22   ://img.dell.com"
>3B 0D 0A 76 61 72 20 6D 5F 69 6D 67 50 66 78 20   ;.var m_imgPfx=20
>3D 20 22 68 74 74 70 3A 2F 2F 69 6D 67 2E 64 65   =3D "http://img.de
>6C 6C 2E 63 6F 6D 22 3B 0D 0A 61 64 64 50 6E 4C   ll.com";.addPnL
>69 6E 6B 28 20 22 4D 79 20 41 63 63 6F 75 6E 74   ink( "My Account
>22 2C 20 22 68 74 74 70 3A 2F 2F 6D 65 6D 62 65   ", "http://membe
>72 73 68 69 70 2E 64 65 6C 6C 2E 63 6F 6D 2F 64   rship.dell.com/d
>65 6C 6C 70 6F 72 74 61 6C 2F 73 69 67 6E 69 6E   ellportal/signin
>2E 61 73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26   .aspx?c=3Dus&l=3Den&
>73 3D 64 68 73 22 2C 20 22 70 72 6F 66 69 6C 65   s=3Ddhs", "profile
>22 20 29 3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28   " );.addPnLink(
>20 22 50 72 65 6D 69 65 72 20 4C 6F 67 69 6E 22    "Premier Login"
>2C 20 22 68 74 74 70 73 3A 2F 2F 73 69 67 6E 69   , "https://signi
>6E 2E 64 65 6C 6C 2E 63 6F 6D 2F 70 72 65 6D 69   n.dell.com/premi
>65 72 2F 70 6F 72 74 61 6C 2F 6C 6F 67 69 6E 2E   er/portal/login.
>61 73 70 78 22 2C 20 22 6C 6F 67 69 6E 22 20 29   aspx", "login" )
>3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D   ;.addPnLink( "M
>79 20 43 61 72 74 22 2C 20 22 68 74 74 70 3A 2F   y Cart", "http:/
>2F 65 63 6F 6D 6D 2E 64 65 6C 6C 2E 63 6F 6D 2F   /ecomm.dell.com/
>64 65 6C 6C 73 74 6F 72 65 2F 62 61 73 6B 65 74   dellstore/basket
>2E 61 73 70 78 22 2C 20 22 63 61 72 74 22 20 29   .aspx", "cart" )
>3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D   ;.addPnLink( "M
>79 20 4F 72 64 65 72 20 53 74 61 74 75 73 22 2C   y Order Status",
>20 22 68 74 74 70 3A 2F 2F 73 75 70 70 6F 72 74    "http://support
>2E 64 65 6C 6C 2E 63 6F 6D 2F 73 75 70 70 6F 72   .dell.com/suppor
>74 2F 6F 72 64 65 72 2F 73 74 61 74 75 73 2E 61   t/order/status.a
>73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26 73 3D   spx?c=3Dus&l=3Den&s=3D
>67 65 6E 22 2C 20 22 6F 72 64 65 72 73 74 61 74   gen", "orderstat
>75 73 22 20 29 3B 0D 0A 6D 5F 69 73 48 6F 6D 65   us" );.m_isHome
>20 3D 20 74 72 75 65 3B 0D 0A 6D 5F 73 65 67 6C    =3D true;.m_segl
>69 6E 6B 20 3D 20 6E 75 6C 6C 3B 0D 0A 77 72 69   ink =3D null;.wri
>74 65 4D 48 28 20 22 42 75 79 20 4F 6E 6C 69 6E   teMH( "Buy Onlin
>65 20 6F 72 20 43 61 6C 6C 22 2C 20 22 31 2D 38   e or Call", "1-8
>30 30 2D 57 57 57 2D 44 45 4C 4C 22 2C 20 6E 75   00-WWW-DELL", nu
>6C 6C 2C 20 6E 75 6C 6C 2C 20 74 72 75 65 2C 20   ll, null, true,=20
>74 72 75 65 2C 20 6E 75 6C 6C 20 29 3B 0D 0A 3C   true, null );.<
>2F 73 63 72 69 70 74 3E 0D 0A 3C 6E 6F 73 63 72   /script>.<noscr
>69 70 74 3E 0D 0A 3C 64 69 76 20 63 6C 61 73 73   ipt>.<div class
>3D 22 70 61 72 61 5F 73 6D 61 6C 6C 22 20 73 74   =3D"para_small" st
>79 6C 65 3D 22 70 61 64 64 69 6E 67 2D 62 6F 74   yle=3D"padding-bot
>74 6F 6D 3A 34 70 78 22 3E 26 6E 62 73 70 3B 26   tom:4px"> &
>6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70   nbsp; =20
>3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 3C 61 20   ;  <a=20
>68 72 65 66 3D 22 68 74 74 70 3A 2F 2F 77 77 77   href=3D"http://www
>31 2E 75 73 2E 64 65 6C 6C 2E 63 6F 6D 2F 63 6F   1.us.dell.com/co
>6E 74 65 6E 74 2F 70 75 62 6C 69 63 2F 63 68 6F   ntent/public/cho
>6F 73 65 63 6F 75 6E 74 72 79 2E 61 73 70 78 3F   osecountry.aspx?
>63 3D 75 73 26 6C 3D 65 6E 26 73 3D 67 65 6E 22   c=3Dus&l=3Den&s=3Dgen"
>3E 43 68 6F 6F 73 65 20 41 20 43 6F 75 6E 74 72   >Choose A Countr
>79 2F 52 65 67 69 6F 6E 3C 2F 61 3E 26 6E 62 73   y/Region</a>&nbs
>70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E   p;  &n
>62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B   bsp; =20
>3C 73 70 61 6E 20 63 6C 61 73 73 3D 22 63 72 75   <span class=3D"cru
>6D 62 73 65 6C 22 3E 45 6E 67 6C 69 73 68 3C 2F   mbsel">English</
>73 70 61 6E 3E 3C 2F 64 69 76 3E 0D 0A 3C 74 61   span></div>.<ta
>62 6C 65 20 63 65 6C 6C 70 61 64 64 69 6E 67 3D   ble cellpadding=3D
>22 30 22 20 63 65 6C 6C 73 70 61 63 69 6E 67 3D   "0" cellspacing=3D
>22 30 22 20 62 6F 72 64 65 72 3D 22 30 22 20 77   "0" border=3D"0" w
>69 64 74 68                                       idth
>
>-----Original Message-----
>From: Joseph Gama [mailto:josephgama at ...144...]=20
>Sent: Monday, July 19, 2004 11:01 PM
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] a few more rules
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>(msg:"Hotmail LINK CSS Vulnerability"; content:"<";
>content:"LINK"; content:"REL"; content:"=3D";=20
>
>content:"STYLESHEET"; content:"TYPE"; content:"=3D";
>content:"text/javascript"; content:"SRC"; content:"=3D";
>content:".js"; content:">"; reference:url,=20
>
>www.securiteam.com/securitynews/5YP0M1555A.html;
>classtype:attempted-recon; sid:10084; rev:1;)
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
>(msg:"Remote desktop connection attempt"; dsize:0;
>ack:0; window:64240; flags:S; flow:stateless;
>reference:url,=20
>
>www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
>classtype:attempted-recon; sid:99999; rev:1;)
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
>(msg:"Remote desktop connection active"; dsize:>7;
>content:"|03 00|"; depth:2; reference:url,=20
>
>www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
>classtype:attempted-recon; sid:99999; rev:1;)
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>(msg:"Adobe Acrobat Reader PDF possible buffer
>overflow"; content:"application\/vnd.adobe.xfdf";
>reference:url,=20
>
>www.securityfocus.com/bid/9802;
>classtype:attempted-user; sid:99999; rev:1;)
>
>
>=09
>	=09
>__________________________________
>Do you Yahoo!?
>Vote for the stars of Yahoo!'s next ad campaign!
>http://advision.webevents.yahoo.com/yahoo/votelifeengine/
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by BEA Weblogic Workshop
>FREE Java Enterprise J2EE developer tools!
>Get your free copy of BEA WebLogic Workshop 8.1 today.
>http://ads.osdn.com/?ad_id=3D4721&alloc_id=3D10040&op=3Dclick
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>--__--__--
>
>Message: 8
>Date: Wed, 21 Jul 2004 13:37:53 -0700 (PDT)
>From: Joseph Gama <josephgama at ...144...>
>Reply-To: josephgama at ...144...
>Subject: RE: [Snort-sigs] a few more rules FALSE POS - fixed
>To: Adrian Marsden <amarsden at ...2045...>, snort-sigs at lists.sourceforge.net
>
>Thank you for the update.
>
>The rules has been fixed:
>
>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>(msg:"Hotmail LINK CSS Vulnerability"; pcre:"/<[
>\t]+(LINK)[ \t]+(REL)[ \t]+(=)[ \t]+(STYLESHEET)[
>\t]+(TYPE)[ \t]+(=)[ \t]+(")[ \t]+(text/javascript)[
>\t]+(")[ \t]+(SRC)[ \t]+(=)/i"; reference:url,
>www.securiteam.com/securitynews/5YP0M1555A.html;
>classtype:attempted-recon; sid:10084; rev:1;)
>
>Peace,
>
>Joseph Gama
>
>--- Adrian Marsden <amarsden at ...2045...> wrote:
>  
>
>>The Hotmail LINK CSS Vulnerability creates FPs when
>>connecting to
>>www.dell.com at 143.166.83.231.
>>
>>The offending packet follows:-
>>
>>4E 54 3D 22 74 65 78 74 2F 68 74 6D 6C 3B 20 63  
>>NT="text/html; c
>>68 61 72 73 65 74 3D 75 74 66 2D 38 22 3E 0D 0A  
>>harset=utf-8">.
>>09 3C 4C 49 4E 4B 20 52 45 4C 3D 22 53 54 59 4C  
>>.<LINK REL="STYL
>>45 53 48 45 45 54 22 20 54 59 50 45 3D 22 74 65  
>>ESHEET" TYPE="te
>>78 74 2F 63 73 73 22 20 48 52 45 46 3D 22 63 73  
>>xt/css" HREF="cs
>>73 2E 68 74 6D 22 3E 0D 0A 09 3C 53 43 52 49 50  
>>s.htm">..<SCRIP
>>54 20 4C 41 4E 47 55 41 47 45 3D 22 4A 61 76 61   T
>>LANGUAGE="Java
>>53 63 72 69 70 74 22 20 53 52 43 3D 22 68 74 74  
>>Script" SRC="htt
>>70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63 6F 6D  
>>p://www.dell.com
>>2F 6A 73 2F 6D 6F 6E 74 61 67 65 2E 6A 73 22 3E  
>>/js/montage.js">
>>3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43 52  
>></SCRIPT>..<SCR
>>49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 6A 61  
>>IPT LANGUAGE="ja
>>76 61 73 63 72 69 70 74 22 20 53 52 43 3D 22 68  
>>vascript" SRC="h
>>74 74 70 3A 2F 2F 77 77 77 2E 64 65 6C 6C 2E 63  
>>ttp://www.dell.c
>>6F 6D 2F 6A 73 2F 68 6F 6D 65 33 32 2E 6A 73 22  
>>om/js/home32.js"
>>3E 3C 2F 53 43 52 49 50 54 3E 0D 0A 09 3C 53 43  
>>    
>>
>>></SCRIPT>..<SC
>>>      
>>>
>>52 49 50 54 20 4C 41 4E 47 55 41 47 45 3D 22 4A  
>>RIPT LANGUAGE="J
>>61 76 61 53 63 72 69 70 74 22 20 53 52 43 3D 22  
>>avaScript" SRC="
>>6D 65 6E 75 2E 68 74 6D 22 3E 3C 2F 53 43 52 49  
>>menu.htm"></SCRI
>>50 54 3E 0D 0A 0D 0A 09 3C 4C 49 4E 4B 20 52 45  
>>PT>...<LINK RE
>>4C 3D 22 53 48 4F 52 54 43 55 54 20 49 43 4F 4E  
>>L="SHORTCUT ICON
>>22 20 48 52 45 46 3D 22 68 74 74 70 3A 2F 2F 69   "
>>HREF="http://i
>>6D 67 2E 64 65 6C 6C 2E 63 6F 6D 2F 69 6D 61 67  
>>mg.dell.com/imag
>>65 73 2F 67 6C 6F 62 61 6C 2F 62 72 61 6E 64 69  
>>es/global/brandi
>>6E 67 2F 64 65 6C 6C 65 63 6F 6D 69 63 6F 6E 2E  
>>ng/dellecomicon.
>>69 63 6F 22 3E 3C 2F 68 65 61 64 3E 0D 0A 3C 62  
>>ico"></head>.<b
>>6F 64 79 20 69 64 3D 22 62 6F 64 79 54 61 67 22  
>>ody id="bodyTag"
>>20 62 67 63 6F 6C 6F 72 3D 22 23 66 66 66 66 66   
>>bgcolor="#fffff
>>66 22 3E 0D 0A 3C 73 63 72 69 70 74 20 74 79 70  
>>f">.<script typ
>>65 3D 22 74 65 78 74 2F 6A 61 76 61 73 63 72 69  
>>e="text/javascri
>>70 74 22 20 6C 61 6E 67 75 61 67 65 3D 22 4A 61  
>>pt" language="Ja
>>76 61 53 63 72 69 70 74 22 3E 0D 0A 76 61 72 20  
>>vaScript">.var 
>>6D 5F 69 6D 67 50 66 78 20 3D 20 22 68 74 74 70  
>>m_imgPfx = "http
>>3A 2F 2F 69 6D 67 2E 64 65 6C 6C 2E 63 6F 6D 22  
>>://img.dell.com"
>>3B 0D 0A 76 61 72 20 6D 5F 69 6D 67 50 66 78 20  
>>;.var m_imgPfx 
>>3D 20 22 68 74 74 70 3A 2F 2F 69 6D 67 2E 64 65   =
>>"http://img.de
>>6C 6C 2E 63 6F 6D 22 3B 0D 0A 61 64 64 50 6E 4C  
>>ll.com";.addPnL
>>69 6E 6B 28 20 22 4D 79 20 41 63 63 6F 75 6E 74  
>>ink( "My Account
>>22 2C 20 22 68 74 74 70 3A 2F 2F 6D 65 6D 62 65   ",
>>"http://membe
>>72 73 68 69 70 2E 64 65 6C 6C 2E 63 6F 6D 2F 64  
>>rship.dell.com/d
>>65 6C 6C 70 6F 72 74 61 6C 2F 73 69 67 6E 69 6E  
>>ellportal/signin
>>2E 61 73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26  
>>.aspx?c=us&l=en&
>>73 3D 64 68 73 22 2C 20 22 70 72 6F 66 69 6C 65  
>>s=dhs", "profile
>>22 20 29 3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28   "
>>);.addPnLink(
>>20 22 50 72 65 6D 69 65 72 20 4C 6F 67 69 6E 22   
>>"Premier Login"
>>2C 20 22 68 74 74 70 73 3A 2F 2F 73 69 67 6E 69   ,
>>"https://signi
>>6E 2E 64 65 6C 6C 2E 63 6F 6D 2F 70 72 65 6D 69  
>>n.dell.com/premi
>>65 72 2F 70 6F 72 74 61 6C 2F 6C 6F 67 69 6E 2E  
>>er/portal/login.
>>61 73 70 78 22 2C 20 22 6C 6F 67 69 6E 22 20 29  
>>aspx", "login" )
>>3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D  
>>;.addPnLink( "M
>>79 20 43 61 72 74 22 2C 20 22 68 74 74 70 3A 2F   y
>>Cart", "http:/
>>2F 65 63 6F 6D 6D 2E 64 65 6C 6C 2E 63 6F 6D 2F  
>>/ecomm.dell.com/
>>64 65 6C 6C 73 74 6F 72 65 2F 62 61 73 6B 65 74  
>>dellstore/basket
>>2E 61 73 70 78 22 2C 20 22 63 61 72 74 22 20 29  
>>.aspx", "cart" )
>>3B 0D 0A 61 64 64 50 6E 4C 69 6E 6B 28 20 22 4D  
>>;.addPnLink( "M
>>79 20 4F 72 64 65 72 20 53 74 61 74 75 73 22 2C   y
>>Order Status",
>>20 22 68 74 74 70 3A 2F 2F 73 75 70 70 6F 72 74   
>>"http://support
>>2E 64 65 6C 6C 2E 63 6F 6D 2F 73 75 70 70 6F 72  
>>.dell.com/suppor
>>74 2F 6F 72 64 65 72 2F 73 74 61 74 75 73 2E 61  
>>t/order/status.a
>>73 70 78 3F 63 3D 75 73 26 6C 3D 65 6E 26 73 3D  
>>spx?c=us&l=en&s=
>>67 65 6E 22 2C 20 22 6F 72 64 65 72 73 74 61 74  
>>gen", "orderstat
>>75 73 22 20 29 3B 0D 0A 6D 5F 69 73 48 6F 6D 65  
>>us" );.m_isHome
>>20 3D 20 74 72 75 65 3B 0D 0A 6D 5F 73 65 67 6C    =
>>true;.m_segl
>>69 6E 6B 20 3D 20 6E 75 6C 6C 3B 0D 0A 77 72 69  
>>ink = null;.wri
>>74 65 4D 48 28 20 22 42 75 79 20 4F 6E 6C 69 6E  
>>teMH( "Buy Onlin
>>65 20 6F 72 20 43 61 6C 6C 22 2C 20 22 31 2D 38   e
>>or Call", "1-8
>>30 30 2D 57 57 57 2D 44 45 4C 4C 22 2C 20 6E 75  
>>00-WWW-DELL", nu
>>6C 6C 2C 20 6E 75 6C 6C 2C 20 74 72 75 65 2C 20  
>>ll, null, true, 
>>74 72 75 65 2C 20 6E 75 6C 6C 20 29 3B 0D 0A 3C  
>>true, null );.<
>>2F 73 63 72 69 70 74 3E 0D 0A 3C 6E 6F 73 63 72  
>>/script>.<noscr
>>69 70 74 3E 0D 0A 3C 64 69 76 20 63 6C 61 73 73  
>>ipt>.<div class
>>3D 22 70 61 72 61 5F 73 6D 61 6C 6C 22 20 73 74  
>>="para_small" st
>>79 6C 65 3D 22 70 61 64 64 69 6E 67 2D 62 6F 74  
>>yle="padding-bot
>>74 6F 6D 3A 34 70 78 22 3E 26 6E 62 73 70 3B 26  
>>tom:4px"> &
>>6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70  
>>nbsp;  
>>3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 3C 61 20   ; 
>><a 
>>68 72 65 66 3D 22 68 74 74 70 3A 2F 2F 77 77 77  
>>href="http://www
>>31 2E 75 73 2E 64 65 6C 6C 2E 63 6F 6D 2F 63 6F  
>>1.us.dell.com/co
>>6E 74 65 6E 74 2F 70 75 62 6C 69 63 2F 63 68 6F  
>>ntent/public/cho
>>6F 73 65 63 6F 75 6E 74 72 79 2E 61 73 70 78 3F  
>>osecountry.aspx?
>>63 3D 75 73 26 6C 3D 65 6E 26 73 3D 67 65 6E 22  
>>c=us&l=en&s=gen"
>>3E 43 68 6F 6F 73 65 20 41 20 43 6F 75 6E 74 72  
>>    
>>
>>>Choose A Countr
>>>      
>>>
>>79 2F 52 65 67 69 6F 6E 3C 2F 61 3E 26 6E 62 73  
>>y/Region</a>&nbs
>>70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B 26 6E   p;
>> &n
>>62 73 70 3B 26 6E 62 73 70 3B 26 6E 62 73 70 3B  
>>bsp;  
>>3C 73 70 61 6E 20 63 6C 61 73 73 3D 22 63 72 75  
>><span class="cru
>>6D 62 73 65 6C 22 3E 45 6E 67 6C 69 73 68 3C 2F  
>>mbsel">English</
>>73 70 61 6E 3E 3C 2F 64 69 76 3E 0D 0A 3C 74 61  
>>span></div>.<ta
>>62 6C 65 20 63 65 6C 6C 70 61 64 64 69 6E 67 3D  
>>ble cellpadding=
>>22 30 22 20 63 65 6C 6C 73 70 61 63 69 6E 67 3D  
>>"0" cellspacing=
>>22 30 22 20 62 6F 72 64 65 72 3D 22 30 22 20 77  
>>"0" border="0" w
>>69 64 74 68                                      
>>idth
>>
>>-----Original Message-----
>>From: Joseph Gama [mailto:josephgama at ...144...] 
>>Sent: Monday, July 19, 2004 11:01 PM
>>To: snort-sigs at lists.sourceforge.net
>>Subject: [Snort-sigs] a few more rules
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>>(msg:"Hotmail LINK CSS Vulnerability"; content:"<";
>>content:"LINK"; content:"REL"; content:"="; 
>>
>>content:"STYLESHEET"; content:"TYPE"; content:"=";
>>content:"text/javascript"; content:"SRC";
>>content:"=";
>>content:".js"; content:">"; reference:url, 
>>
>>www.securiteam.com/securitynews/5YP0M1555A.html;
>>classtype:attempted-recon; sid:10084; rev:1;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
>>(msg:"Remote desktop connection attempt"; dsize:0;
>>ack:0; window:64240; flags:S; flow:stateless;
>>reference:url, 
>>
>>
>>    
>>
>www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
>  
>
>>classtype:attempted-recon; sid:99999; rev:1;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
>>(msg:"Remote desktop connection active"; dsize:>7;
>>content:"|03 00|"; depth:2; reference:url, 
>>
>>
>>    
>>
>www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
>  
>
>>classtype:attempted-recon; sid:99999; rev:1;)
>>
>>alert tcp $EXTERNAL_NET any -> $HOME_NET any
>>(msg:"Adobe Acrobat Reader PDF possible buffer
>>overflow"; content:"application\/vnd.adobe.xfdf";
>>reference:url, 
>>
>>www.securityfocus.com/bid/9802;
>>classtype:attempted-user; sid:99999; rev:1;)
>>
>>
>>	
>>		
>>__________________________________
>>Do you Yahoo!?
>>Vote for the stars of Yahoo!'s next ad campaign!
>>
>>    
>>
>http://advision.webevents.yahoo.com/yahoo/votelifeengine/
>  
>
>>
>>    
>>
>-------------------------------------------------------
>  
>
>>This SF.Net email is sponsored by BEA Weblogic
>>Workshop
>>FREE Java Enterprise J2EE developer tools!
>>Get your free copy of BEA WebLogic Workshop 8.1
>>today.
>>
>>    
>>
>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>  
>
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>
>>    
>>
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>
>>
>>    
>>
>-------------------------------------------------------
>  
>
>>This SF.Net email is sponsored by BEA Weblogic
>>Workshop
>>FREE Java Enterprise J2EE developer tools!
>>Get your free copy of BEA WebLogic Workshop 8.1
>>today.
>>http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>
>>    
>>
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>
>
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>Vote for the stars of Yahoo!'s next ad campaign!
>http://advision.webevents.yahoo.com/yahoo/votelifeengine/
>
>
>
>--__--__--
>
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>End of Snort-sigs Digest
>  
>





More information about the Snort-sigs mailing list