[Snort-sigs] The content pattern of Rule SID: 19713 can be improved

Ruowen Wang rwang9 at ...2642...
Mon Jul 29 11:41:48 EDT 2013


Hi Alex,

Thanks for pointing this out. Actually, I was previously checking an old
snortrules-2922, which didn't contain the 24187, 24188 rules. I check the
latest one snortrules-2946. I find that 24188 can cover Metasploit attack.

It's good to know public exploits are covered by Snort rules. I also notice
there is a specific rule file exploit-kit.rules focusing on exploit tool
kits. That's great!

Thanks again!

Thank you very much! Have a nice day!
----
Looking forward to your reply

Best Regards!
Sincerely yours,

*Ruowen Wang*
**Graduate Student
Department of Computer Science
North Carolina State University
E-mail: rwang9 at ...2642...



On Mon, Jul 29, 2013 at 7:06 AM, Alex McDonnell
<amcdonnell at ...435...>wrote:

> Hi Ruowen,
>
> If you search through the ruleset for the CVE 2011-2371 you will find that
> there are more rules that cover this vulnerability, on top of 19713 there
> is 19714, 24187 and 24188. Each of these rules covers different vectors and
> the should cover all public exploits.
>
> thanks,
> Alex McDonnell
> VRT
>
>
> On Mon, Jul 29, 2013 at 1:42 AM, Ruowen Wang <rwang9 at ...2642...> wrote:
>
>> Dear All,
>>
>> I am doing a research to test Snort rules using Metasploit exploit
>> scripts. I find that the content pattern of the rule sid:19713 might be
>> inaccurate and can be improved. The rule is:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow";
>> flow:to_client,established; file_data; content:"a.length=0xffffffff";
>> nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase;
>> metadata:policy balanced-ips drop, policy security-ips drop, service http;
>> reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user;
>> sid:19713; rev:2;)
>>
>> I find that in its content patterns "a.length..." and "a.reduce...", "a"
>> is actually a JavaScript var name (more specifically, it is an Array object
>> in this attack), which can be freely chosen by attacker. In addition, I
>> find this rule cannot detect the Metasploit attack. The corresponding
>> exploit is
>>
>> http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mozilla_reduceright.rb
>>
>> If there is anyone who is familiar with this rule, please take a look,
>> and correct me if I am wrong.
>>
>> Thank you very much! Have a nice day!
>>
>>
>> Best Regards!
>> Ruowen
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130729/56a5ca53/attachment.html>


More information about the Snort-sigs mailing list