[Snort-sigs] Couple sigs

James Lay jlay at ...3266...
Mon Sep 10 11:36:29 EDT 2012


On 2012-09-10 09:30, Alex Kirk wrote:
> Actually, the real issue with obfuscation is around the order of the
> width, height, and style parameters. Right now, just swapping any of
> those around in terms of their order within the packet evades the
> rule.
>
> I had thought about doing a PCRE to validate that all three elements
> were within a single tag, but that actually turns into a lot of
> potential permutations fairly rapidly once youve got 3 distinct
> options (3! worth, or 6 possible layouts, if my old math classes and
> my memory are serving me right), which will make for a fairly
> expensive PCRE - especially given that it would enter fairly
> frequently, since things like "style=visibility:hidden" are somewhat
> common elements on any given HTML page. Nick Randolph had an 
> excellent
> idea that revolves around using negative distance values to create a
> "window" of possible places for matches to occur that actually works
> fairly well in testing:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (msg:"INDICATOR-OBFUSCATION hidden iframe - potential include of
> malicious content"; flow:to_client, established; file_data;
> content:"<iframe "; nocase; content:"width=1"; nocase; distance:0;
> within:50; content:"height=1"; nocase; distance:-40; within:80;
> content:"style=visibility|3a|hidden"; nocase; distance:-40; 
> within:80;
> classtype:bad-unknown;)
>
> Id still want to verify that its not common practice to do a hidden
> iframe in this manner in the wild, but writing the rule like this is 
> a
> nice balance between specificity, non-evadability, and performance,
> IMHO. Yes, theres the 2x2, or 0x0, iframes to deal with, etc., but
> since most of the stuff Ive ever seen in the wild is 1x1 or 0x0, then
> wed just have a pair of rules around this and be done with it.
>
> FWIW, Nick is working on a blog post explaining the logic of using
> negative distances like these for detection. Hopefully thatll be up
> this week.
>


Ah nice...thanks Alex.  I'll put this new rule into the live 
environment and let you know how it goes.

James





More information about the Snort-sigs mailing list