[Snort-sigs] Linking this with that to create an alert
rmkml at ...174...
Wed Jan 29 11:37:46 EST 2014
First, thx you for your all share!
Please try with these two sigs,
first sig match /jquery on http_uri and set flowbits
second sig check flowbits before and after http reply with document.write.
Don't remember adding flowbits:noalert; on first sig if it's work ;)
alert tcp any any -> any 80 (msg:"jquery uri flowbits";
flow:to_server,established; content:"/jquery"; nocase; http_uri;
flowbits:set,http.jquery; classtype:web-application-activity; sid:1;
rev:99;) # flowbits:noalert;
alert tcp any 80 -> any any (msg:"jquery uri with document.write reply
attempt"; flow:to_client,established; flowbits:isset,http.jquery;
file_data; content:"document.write"; distance:0;
classtype:web-application-activity; sid:2; rev:99;)
On Wed, 29 Jan 2014, James Lay wrote:
> In looking at:
> I'm wondering if there's a way to, in plain English: "if I requested a
> jquery named file, and that file contains a document.write, then alert".
> Betting it's a flowbit thing, which I've not really used much. Any
> good resources that could assist with something like this? Thanks.
More information about the Snort-sigs