[Snort-sigs] Couple sigs

Alex Kirk akirk at ...435...
Mon Sep 10 12:00:04 EDT 2012

On Mon, Sep 10, 2012 at 11:40 AM, lists at ...3397... <lists at ...3397...
> wrote:

> On 09/10/12 10:30, Alex Kirk wrote:
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> > hidden iframe - potential include of malicious content"; flow:to_client,
> > established; file_data; content:"<iframe "; nocase; content:"width=1";
> nocase;
> > distance:0; within:50; content:"height=1"; nocase; distance:-40;
> within:80;
> > content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
> > classtype:bad-unknown;)
> I've seen \x22 and \x27 being used occasionally to quote the in-line style
> declaration.
> Cheers,
> Nathan
> Which, of course, goes back to the whole issue of "HTML is such a
relatively free-form mockup language that there's a zillion ways to evade
any sort of detection."

If this concept isn't totally blown out of the water by lots of legitimate
web sites using hidden iframes, then it seems to me that the best way to
proceed is to figure out what's the least performance-intensive way of
accounting for all of the potential permutations. This may end up being
several rules, or potentially even a single rule with a PCRE; I'm honestly
agnostic as to how the end result is achieved, so long as it works when
we're done. Long-term, it might even make sense to have additional Snort
functionality to normalize cases like this (i.e. standardize how quotes
appear in a normalized buffer) to make things more sane, but that's
something we'd need to debate fairly extensively within the community
before implementing, I'm sure.

In the meantime, thanks for the input, you make a very good point.

Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120910/3d84fdbe/attachment.html>

More information about the Snort-sigs mailing list