[Snort-sigs] Couple sigs

James Lay jlay at ...3266...
Fri Sep 7 14:06:03 EDT 2012


So...I get really tired of malicious redirects, so here are a couple 
sigs:

Maybe hidden iframes are all over the net...maybe not, but this one is 
specifically designed to catch stuff like the below:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 
Hidden iframe"; flow:to_client, established; file_data; content:"<iframe 
width=1 height=1 style=visibility|3a|hidden"; classtype:bad-unknown; 
sid:10000023; rev:1;)

<iframe width=1 height=1 style=visibility:hidden 
src='http://www.redacted.com/wp-count.php?ref=redacted</iframe>




this next one is to catch those pages that are just a single refresh 
line with a link to an IP...I see a lot of these types being pointed at 
from compromised (wordpess) sites...as I understand it file_data should 
make this sig search from the beginning of the response body...which is 
exactly where I want it to search and not say the middle of the page (I 
hope):


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISE Page with only IP redirect, possible 
compromised site"; flow:to_client, established; file_data; 
content:"<html><head><meta http-equiv=|22|refresh"; 
pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/sm"; classtype:bad-unknown; 
sid:10000024; rev:1;)

<html><head><meta http-equiv="refresh" 
content="0;url=http://redacted/redacted"></meta></head></html>




So far no FP's in my environment, your mileage may vary.  As usual, 
comments, thoughts, improvements, hack & slash on these are welcome.  
Thanks all.

James




More information about the Snort-sigs mailing list