[Snort-sigs] The content pattern of Rule SID: 19713 can be improved
rwang9 at ...2642...
Mon Jul 29 11:41:48 EDT 2013
Thanks for pointing this out. Actually, I was previously checking an old
snortrules-2922, which didn't contain the 24187, 24188 rules. I check the
latest one snortrules-2946. I find that 24188 can cover Metasploit attack.
It's good to know public exploits are covered by Snort rules. I also notice
there is a specific rule file exploit-kit.rules focusing on exploit tool
kits. That's great!
Thank you very much! Have a nice day!
Looking forward to your reply
Department of Computer Science
North Carolina State University
E-mail: rwang9 at ...2642...
On Mon, Jul 29, 2013 at 7:06 AM, Alex McDonnell
<amcdonnell at ...435...>wrote:
> Hi Ruowen,
> If you search through the ruleset for the CVE 2011-2371 you will find that
> there are more rules that cover this vulnerability, on top of 19713 there
> is 19714, 24187 and 24188. Each of these rules covers different vectors and
> the should cover all public exploits.
> Alex McDonnell
> On Mon, Jul 29, 2013 at 1:42 AM, Ruowen Wang <rwang9 at ...2642...> wrote:
>> Dear All,
>> I am doing a research to test Snort rules using Metasploit exploit
>> scripts. I find that the content pattern of the rule sid:19713 might be
>> inaccurate and can be improved. The rule is:
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow";
>> flow:to_client,established; file_data; content:"a.length=0xffffffff";
>> nocase; content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase;
>> metadata:policy balanced-ips drop, policy security-ips drop, service http;
>> reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user;
>> sid:19713; rev:2;)
>> I find that in its content patterns "a.length..." and "a.reduce...", "a"
>> in this attack), which can be freely chosen by attacker. In addition, I
>> find this rule cannot detect the Metasploit attack. The corresponding
>> exploit is
>> If there is anyone who is familiar with this rule, please take a look,
>> and correct me if I am wrong.
>> Thank you very much! Have a nice day!
>> Best Regards!
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs