[Snort-sigs] Couple sigs

Alex Kirk akirk at ...435...
Mon Sep 10 09:49:57 EDT 2012


These look like solid rules, James - especially the hidden Iframe bit, that
seems like suspicious practice even if it's on a "legit" web site.

I'm going to have these run through our rule testing group, just in case we
see legit sites doing either one of these things on a regular basis - but
assuming that they come up clean, I think they'd be excellent additions to,
say, INDICATOR-OBFUSCATION.

On Fri, Sep 7, 2012 at 2:06 PM, James Lay <jlay at ...3266...> wrote:

> So...I get really tired of malicious redirects, so here are a couple
> sigs:
>
> Maybe hidden iframes are all over the net...maybe not, but this one is
> specifically designed to catch stuff like the below:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Hidden iframe"; flow:to_client, established; file_data; content:"<iframe
> width=1 height=1 style=visibility|3a|hidden"; classtype:bad-unknown;
> sid:10000023; rev:1;)
>
> <iframe width=1 height=1 style=visibility:hidden
> src='http://www.redacted.com/wp-count.php?ref=redacted</iframe>
>
>
>
>
> this next one is to catch those pages that are just a single refresh
> line with a link to an IP...I see a lot of these types being pointed at
> from compromised (wordpess) sites...as I understand it file_data should
> make this sig search from the beginning of the response body...which is
> exactly where I want it to search and not say the middle of the page (I
> hope):
>
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-COMPROMISE Page with only IP redirect, possible
> compromised site"; flow:to_client, established; file_data;
> content:"<html><head><meta http-equiv=|22|refresh";
> pcre:"/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/sm"; classtype:bad-unknown;
> sid:10000024; rev:1;)
>
> <html><head><meta http-equiv="refresh"
> content="0;url=http://redacted/redacted"></meta></head></html>
>
>
>
>
> So far no FP's in my environment, your mileage may vary.  As usual,
> comments, thoughts, improvements, hack & slash on these are welcome.
> Thanks all.
>
> James
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120910/21faed53/attachment.html>


More information about the Snort-sigs mailing list