[Snort-sigs] [Emerging-Sigs] FP : WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt

Joel Esler jesler at ...435...
Mon Feb 20 09:40:01 EST 2012


Discussion of VRT rules belongs on the Snort-sigs list.  Cc'ed here.

J

On Feb 20, 2012, at 9:16 AM, Balasubramaniam Natarajan wrote:

> I am hitting on False positive for the rule on visiting Yahoo.
> 
> web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"<IFRAME "; nocase; pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:7;)
> 
> 
>  ID 	 < Signature > 	 < Timestamp > 	 < Source Address > 	 < Dest. Address > 	 < Layer 4 Proto > 
> 	#0-(5-49715)	[cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt	 2012-02-20 08:47:05 	202.43.205.15:80	192.168.56.1:44895 	TCP 
> 	#1-(5-49712)	[cve] [icat] [bugtraq] [snort] WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt	 2012-02-20 08:46:57 	202.43.205.15:80	192.168.56.1:44895 	TCP
> 
> 
> HTTP/1.1 200 OK
> [2 non-ASCII characters]
> Date: Mon, 20 Feb 2012 03:17:05 GMT
> [2 non-ASCII characters]
> Server: YTS/1.19.8
> 
> [2 non-ASCII characters]
> P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
> [2 non-ASCII characters]
> X-RightMedia-Hostname: raptor0122.rm.sg1
> 
> [2 non-ASCII characters]
> Set-Cookie: ih="b!!!!'!%LG<!!!!$=L4W2!6W'N!!!!#=L4WL!8*(,!!!!(=L4WC!8Z^O!!!!#=L4W>"; path=/; expires=Wed, 19-Feb-2014 03:17:05 GMT
> [2 non-ASCII characters]
> 
> Set-Cookie: vuday1=n#C*yNHRYlrlkFu; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
> [2 non-ASCII characters]
> Set-Cookie: BX=2pd19b17k3emo&b=4&d=i2aiwllpYF7d6BH6.kz_MpCsjVlXT83h9Z7ikDQ-&s=ri&i=b8OZS4VeRPGQ&t=50; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
> 
> [2 non-ASCII characters]
> Set-Cookie: liday1=nfg#QNHRYlV!- at ...3633...; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT
> [2 non-ASCII characters]
> Cache-Control: no-store
> [2 non-ASCII characters]
> 
> Last-Modified: Mon, 20 Feb 2012 03:17:05 GMT
> [2 non-ASCII characters]
> Pragma: no-cache
> [2 non-ASCII characters]
> Content-Type: text/html
> [2 non-ASCII characters]
> 
> Age: 0
> [2 non-ASCII characters]
> Transfer-Encoding: chunked
> [2 non-ASCII characters]
> Connection: keep-alive
> [4 non-ASCII characters]
> 493
> 
> [2 non-ASCII characters]
> <html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(12037232);}
> 
> </script><!-- RMX,yatranua/160x600_flash/160x600 (creativeId 76dab21a1fedf670149b12fc6064dd5e), created at Mon Nov 21 2011 15:42:54 GMT+0800 (Taipei Standard Time) -->
> [2 non-ASCII characters]
> 
> <iframe src="http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C" frameborder="0" scrolling="no" width="160" height="600"></iframe></body></html>
> 
> [3 non-ASCII characters]
> 0
> [3 non-ASCII characters]
> I believe that this is a VRT rule and do let me know if I can discuss about those here, I don't want to break some rules of this mailing list.
> 
> -- 
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120220/d8a34691/attachment.html>


More information about the Snort-sigs mailing list