[Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Sig ID,3549

Russell Fulton r.fulton at ...575...
Wed Feb 8 12:32:10 EST 2006


I'm seeing several 1000 hits a day on this rule from all over the globe.

If you need more info I'm happy to supply it.

Russell

META
--------
SID	CID	TimeStamp		Signature
6	377134	2006-02-08 14:21:48	WEB-CLIENT HTML DOM invalid element
creation attempt
Sig ID
3549

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
128.100.131.33	130.216.191.183	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	576	26567	0	0	108	40667

Resolved Source
amscmsweb.wisst.utoronto.ca

Resolved Dest
gate1.ec.auckland.ac.nz

TCP
--------
Source Port	Dest Port	Seq		Ack		
80		39895		1152954908	1768103730
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
8	0		16	17520	30122		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X					

DATA
--------
6173735F6E616D652920	ass_name)
7B0D0A09656C656D656E	{...elemen
742E636C6173734E616D	t.classNam
65203D20636C6173735F	e = class_
6E616D653B0D0A7D0D0A	name;..}..
66756E6374696F6E2043	function C
68616E67655F456C656D	hange_Elem
656E745F49442028656C	ent_ID (el
656D656E742C49445F6E	ement,ID_n
616D6529207B0D0A0965	ame) {...e
6C656D656E742E696420	lement.id
3D2049445F6E616D653B	= ID_name;
0D0A7D0D0A0D0A66756E	..}....fun
6374696F6E2053686F77	ction Show
4C6179657231286E616D	Layer1(nam
652C69645F6E2C206263	e,id_n, bc
6F6C6F7229207B0D0A09	olor) {...
69662028646F63756D65	if (docume
6E742E63726561746545	nt.createE
6C656D656E74297B0D0A	lement){..
090968656C7064697220	..helpdir
3D20646F63756D656E74	= document
2E676574456C656D656E	.getElemen
7442794964286E616D65	tById(name
293B0D0A090968656C70	);....help
6469722E7374796C652E	dir.style.
6261636B67726F756E64	background
436F6C6F72203D206263	Color = bc
6F6C6F723B0D0A09096D	olor;....m
797461626C653D646F63	ytable=doc
756D656E742E63726561	ument.crea
7465456C656D656E7428	teElement(
225441424C4522293B0D	"TABLE");.
0A0909746162626F6479	...tabbody
3D646F63756D656E742E	=document.
637265617465456C656D	createElem
656E74282254424F4459	ent("TBODY
22293B0D0A0909726F77	");....row
3D646F63756D656E742E	=document.
637265617465456C656D	createElem
656E742822545222293B	ent("TR");
0D0A090963656C6C3D64	....cell=d
6F63756D656E742E6372	ocument.cr
65617465456C656D656E	eateElemen
742822544422293B0D0A	t("TD");..
0909746578744E6F6465	..textNode
3D646F63756D656E742E	=document.
63726561746554657874	createText
4E6F64652869645F6E29	Node(id_n)
3B0D0A090963656C6C2E	;....cell.
617070656E644368696C	appendChil
6428746578744E6F6465	d(textNode
293B0D0A	);..

DATA
--------
ass_name) {...element.className = class_name;..}..function C
hange_Element_ID (element,ID_name) {...element.id = ID_name;
..}....function ShowLayer1(name,id_n, bcolor) {...if (docume
nt.createElement){....helpdir = document.getElementById(name
);....helpdir.style.backgroundColor = bcolor;....mytable=doc
ument.createElement("TABLE");....tabbody=document.createElem
ent("TBODY");....row=document.createElement("TR");....cell=d
ocument.createElement("TD");....textNode=document.createText
Node(id_n);....cell.appendChild(textNode);..




More information about the Snort-sigs mailing list