[Snort-sigs] Couple sigs
jlay at ...3266...
Mon Sep 10 10:22:27 EDT 2012
On 2012-09-10 07:52, Alex Kirk wrote:
> With, that is, some tweaks to be slightly less specific. If you can
> evaded by simply switching the order of the width and height on the
> first one, for example, well, youre probably less than useful.
Thanks Alex. For the hidden iframe, I'm thinking maybe something like
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"INDICATOR-COMPROMISE Hidden iframe"; flow:to_client, established;
file_data; content:"<iframe"; content:"width="; content:"height=";
classtype:bad-unknown; sid:10000023; rev:2;)
I was thinking a byte_test that will test to see if width= or height=
are less than say 2, but I haven't yet figured out how to get that to
fly, so I guess the pcre will suffice for now. This alerts on my packet
cap, and so far no FP's running live. You think some within statements
might help? Thanks Alex.
More information about the Snort-sigs