[Snort-sigs] rule 1667 should be replaced

Joseph Gama josephgama at ...144...
Tue Jul 27 13:59:25 EDT 2004


Hi,

Rule 1667 has many flaws:
1-spaces between keywords are not considered
2-SRC doesn't have to follow IMG
3-javascript might have ', " or nothing
4-in IE it is possible to obfuscate the keyword
javascript with any number of chars x09 to 0x13

This is my proposal for replacement:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:"WEB-MISC cross site scripting HTML
Image tag set to javascript attempt with SRC";
flow:to_server,established;
pcre:"/<IMG[\s]+(\bSRC\b)[\s]*=[\s]*['"]*[x09x10x11x12x13]*j[x09x10x11x12x13]*a[x09x10x11x12x13]*v[x09x10x11x12x13]*a[x09x10x11x12x13]*s[x09x10x11x12x13]*c[x09x10x11x12x13]*r[x09x10x11x12x13]*i[x09x10x11x12x13]*p[x09x10x11x12x13]*t/i";
classtype:web-application-attack; sid:1667; rev:6;)

It considers all of the problems cited above.

Peace,

Joseph Gama


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list