[Snort-sigs] Snort-sigs Digest, Vol 76, Issue 14

Joel Esler jesler at ...435...
Tue Sep 11 13:29:48 EDT 2012


Your HOME_NET should read "ipvar HOME_NET 192.168.1.0/24"

If that's what you are trying to do.

On Sep 11, 2012, at 1:24 PM, PR <oly562 at ...2420...> wrote:

> when i ran a script, bash simple with 2 lines just like i type them into
> the cmdline, it said ipvar 192.168.1.0/24 cant be something... i have
> since just ran the cmds one at a time, and i dont see that anymore, but
> it said failed or errored... something like that. sorry i missed it...
> maybe its in the logs? i cant read the logs as they are in unified
> format. i guess... lol....
> 
> ls /var/log/snort/
> alert                 snort.log.1347321601  snort.log.1347374349
> snort.log.1347320873  snort.log.1347325626  snort.log.1347382370
> snort.log.1347321584  snort.log.1347346937  snort.log.1347382486
> snort.log.1347321592  snort.log.1347347097  snort.log.1347383400
> 
> this is what i mean, i can't less them:
> 
> less /var/log/snort/snort.log.1347320873 
> "/var/log/snort/snort.log.1347320873" may be a binary file.  See it
> anyway?
> 
> your thoughts?
> 
> thanks pete
> 
> 
> On Tue, 2012-09-11 at 17:04 +0000,
> snort-sigs-request at lists.sourceforge.net wrote:
>> Send Snort-sigs mailing list submissions to
>> 	snort-sigs at lists.sourceforge.net
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> or, via email, send a message with subject or body 'help' to
>> 	snort-sigs-request at lists.sourceforge.net
>> 
>> You can reach the person managing the list at
>> 	snort-sigs-owner at lists.sourceforge.net
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Snort-sigs digest..."
>> 
>> 
>> Today's Topics:
>> 
>>   1. Re: Couple sigs (lists at ...3397...)
>>   2. Re: Couple sigs (Alex Kirk)
>>   3. Re: Couple sigs (lists at ...3397...)
>>   4. Re: Up and Running (Joel Esler)
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Mon, 10 Sep 2012 10:40:16 -0500
>> From: "lists at ...3397..." <lists at ...3397...>
>> Subject: Re: [Snort-sigs] Couple sigs
>> To: Alex Kirk <akirk at ...435...>
>> Cc: Snort-sigs <snort-sigs at lists.sourceforge.net>
>> Message-ID: <504E09E0.3080403 at ...3397...>
>> Content-Type: text/plain; charset="us-ascii"
>> 
>> On 09/10/12 10:30, Alex Kirk wrote:
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION
>>> hidden iframe - potential include of malicious content"; flow:to_client,
>>> established; file_data; content:"<iframe "; nocase; content:"width=1"; nocase;
>>> distance:0; within:50; content:"height=1"; nocase; distance:-40; within:80;
>>> content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
>>> classtype:bad-unknown;)
>> 
>> I've seen \x22 and \x27 being used occasionally to quote the in-line style
>> declaration.
>> 
>> Cheers,
>> Nathan
>> 
>> 
>> 
>> 
>> ------------------------------
>> 
>> Message: 2
>> Date: Mon, 10 Sep 2012 12:00:04 -0400
>> From: Alex Kirk <akirk at ...435...>
>> Subject: Re: [Snort-sigs] Couple sigs
>> To: "lists at ...3397..." <lists at ...3397...>
>> Cc: Snort-sigs <snort-sigs at lists.sourceforge.net>
>> Message-ID:
>> 	<CABed_ZcRBwOY4tP2-WcSHrQS8RO-5hvqwUbBQfewyxjvaVP+Rg at ...2421...>
>> Content-Type: text/plain; charset="iso-8859-1"
>> 
>> On Mon, Sep 10, 2012 at 11:40 AM, lists at ...3397... <lists at ...3397...
>>> wrote:
>> 
>>> On 09/10/12 10:30, Alex Kirk wrote:
>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>> (msg:"INDICATOR-OBFUSCATION
>>>> hidden iframe - potential include of malicious content"; flow:to_client,
>>>> established; file_data; content:"<iframe "; nocase; content:"width=1";
>>> nocase;
>>>> distance:0; within:50; content:"height=1"; nocase; distance:-40;
>>> within:80;
>>>> content:"style=visibility|3a|hidden"; nocase; distance:-40; within:80;
>>>> classtype:bad-unknown;)
>>> 
>>> I've seen \x22 and \x27 being used occasionally to quote the in-line style
>>> declaration.
>>> 
>>> Cheers,
>>> Nathan
>>> 
>>> 
>>> Which, of course, goes back to the whole issue of "HTML is such a
>> relatively free-form mockup language that there's a zillion ways to evade
>> any sort of detection."
>> 
>> If this concept isn't totally blown out of the water by lots of legitimate
>> web sites using hidden iframes, then it seems to me that the best way to
>> proceed is to figure out what's the least performance-intensive way of
>> accounting for all of the potential permutations. This may end up being
>> several rules, or potentially even a single rule with a PCRE; I'm honestly
>> agnostic as to how the end result is achieved, so long as it works when
>> we're done. Long-term, it might even make sense to have additional Snort
>> functionality to normalize cases like this (i.e. standardize how quotes
>> appear in a normalized buffer) to make things more sane, but that's
>> something we'd need to debate fairly extensively within the community
>> before implementing, I'm sure.
>> 
>> In the meantime, thanks for the input, you make a very good point.
>> 
>> -- 
>> Alex Kirk
>> AEGIS Program Lead
>> Sourcefire Vulnerability Research Team
>> +1-410-423-1937
>> alex.kirk at ...435...
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> 
>> ------------------------------
>> 
>> Message: 3
>> Date: Mon, 10 Sep 2012 11:09:41 -0500
>> From: "lists at ...3397..." <lists at ...3397...>
>> Subject: Re: [Snort-sigs] Couple sigs
>> To: Alex Kirk <akirk at ...435...>
>> Cc: Snort-sigs <snort-sigs at lists.sourceforge.net>
>> Message-ID: <504E10C5.70708 at ...3397...>
>> Content-Type: text/plain; charset="us-ascii"
>> 
>> On 09/10/12 11:00, Alex Kirk wrote:
>>> single rule with a PCRE
>> 
>> I'm kind of partial to:
>> 
>> file_data; content:"<iframe "; nocase; content:"visibility|3a|hidden";
>> within:100; nocase; pcre:"/\x3ciframe[^\x3e]+[heigwdth]{5,6}[^\x3d]*?=[0-1][^\d]/i";
>> 
>> Not really sure though how to make that one performance friendly since the PCRE
>> engine may be invoked often.
>> 
>> Either way, good conversation James and Alex, I believe this theme to be very
>> useful.
>> 
>> 
>> 
>> ------------------------------
>> 
>> Message: 4
>> Date: Tue, 11 Sep 2012 13:04:35 -0400
>> From: Joel Esler <jesler at ...435...>
>> Subject: Re: [Snort-sigs] Up and Running
>> To: PR <oly562 at ...2420...>
>> Cc: snort-sigs <snort-sigs at lists.sourceforge.net>
>> Message-ID: <28EBC923-168A-4444-A8F7-34501E42481E at ...435...>
>> Content-Type: text/plain; charset="us-ascii"
>> 
>> On Sep 11, 2012, at 1:02 PM, PR <oly562 at ...2420...> wrote:
>> 
>>> 4. only thing i see complaining so far was the ipvar option for
>>> 192.168.1.0/24, and the No White/Black_list.rules that are there.
>>> maybe perms or chown needed on rules dir?
>> 
>> What complained about the ipvar option for HOME_NET?
>> 
>> But, white and black list rules are not in our standard ruleset at this time.
>> 
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> 
>> ------------------------------
>> 
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> 
>> ------------------------------
>> 
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
>> 
>> End of Snort-sigs Digest, Vol 76, Issue 14
>> ******************************************
> 





More information about the Snort-sigs mailing list