[Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Sig ID,3549

M. Shirk shirkdog_list at ...12...
Fri Feb 10 06:45:03 EST 2006


I get hits when navigating http://www.ubuntulinux.org and 
http://www.gentoo-wiki.com.

Is the pcre getting greedy with \w+


Shirkdog
http://www.shirkdog.us




>From: Russell Fulton <r.fulton at ...575...>
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] WEB-CLIENT HTML DOM invalid element creation 
>attempt,Sig ID,3549
>Date: Thu, 09 Feb 2006 09:31:27 +1300
>
>I'm seeing several 1000 hits a day on this rule from all over the globe.
>
>If you need more info I'm happy to supply it.
>
>Russell
>
>META
>--------
>SID	CID	TimeStamp		Signature
>6	377134	2006-02-08 14:21:48	WEB-CLIENT HTML DOM invalid element
>creation attempt
>Sig ID
>3549
>
>Sensor Hostname				Sensor Interface
>hihi.insec.auckland.ac.nz	new dmz sensor
>
>IP
>--------
>Source Address	Dest Address	Ver	Hdr Len
>128.100.131.33	130.216.191.183	4	5
>TOS	length	ID	flags	offset	TTL	chksum
>0	576	26567	0	0	108	40667
>
>Resolved Source
>amscmsweb.wisst.utoronto.ca
>
>Resolved Dest
>gate1.ec.auckland.ac.nz
>
>TCP
>--------
>Source Port	Dest Port	Seq		Ack
>80		39895		1152954908	1768103730
>Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
>8	0		16	17520	30122		0
>
>Options
>--------
>None
>
>
>Flags
>--------
>RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
>			X
>
>DATA
>--------
>6173735F6E616D652920	ass_name)
>7B0D0A09656C656D656E	{...elemen
>742E636C6173734E616D	t.classNam
>65203D20636C6173735F	e = class_
>6E616D653B0D0A7D0D0A	name;..}..
>66756E6374696F6E2043	function C
>68616E67655F456C656D	hange_Elem
>656E745F49442028656C	ent_ID (el
>656D656E742C49445F6E	ement,ID_n
>616D6529207B0D0A0965	ame) {...e
>6C656D656E742E696420	lement.id
>3D2049445F6E616D653B	= ID_name;
>0D0A7D0D0A0D0A66756E	..}....fun
>6374696F6E2053686F77	ction Show
>4C6179657231286E616D	Layer1(nam
>652C69645F6E2C206263	e,id_n, bc
>6F6C6F7229207B0D0A09	olor) {...
>69662028646F63756D65	if (docume
>6E742E63726561746545	nt.createE
>6C656D656E74297B0D0A	lement){..
>090968656C7064697220	..helpdir
>3D20646F63756D656E74	= document
>2E676574456C656D656E	.getElemen
>7442794964286E616D65	tById(name
>293B0D0A090968656C70	);....help
>6469722E7374796C652E	dir.style.
>6261636B67726F756E64	background
>436F6C6F72203D206263	Color = bc
>6F6C6F723B0D0A09096D	olor;....m
>797461626C653D646F63	ytable=doc
>756D656E742E63726561	ument.crea
>7465456C656D656E7428	teElement(
>225441424C4522293B0D	"TABLE");.
>0A0909746162626F6479	...tabbody
>3D646F63756D656E742E	=document.
>637265617465456C656D	createElem
>656E74282254424F4459	ent("TBODY
>22293B0D0A0909726F77	");....row
>3D646F63756D656E742E	=document.
>637265617465456C656D	createElem
>656E742822545222293B	ent("TR");
>0D0A090963656C6C3D64	....cell=d
>6F63756D656E742E6372	ocument.cr
>65617465456C656D656E	eateElemen
>742822544422293B0D0A	t("TD");..
>0909746578744E6F6465	..textNode
>3D646F63756D656E742E	=document.
>63726561746554657874	createText
>4E6F64652869645F6E29	Node(id_n)
>3B0D0A090963656C6C2E	;....cell.
>617070656E644368696C	appendChil
>6428746578744E6F6465	d(textNode
>293B0D0A	);..
>
>DATA
>--------
>ass_name) {...element.className = class_name;..}..function C
>hange_Element_ID (element,ID_name) {...element.id = ID_name;
>..}....function ShowLayer1(name,id_n, bcolor) {...if (docume
>nt.createElement){....helpdir = document.getElementById(name
>);....helpdir.style.backgroundColor = bcolor;....mytable=doc
>ument.createElement("TABLE");....tabbody=document.createElem
>ent("TBODY");....row=document.createElement("TR");....cell=d
>ocument.createElement("TD");....textNode=document.createText
>Node(id_n);....cell.appendChild(textNode);..
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
>files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to 
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement





More information about the Snort-sigs mailing list