[Snort-sigs] Linking this with that to create an alert

rmkml rmkml at ...174...
Wed Jan 29 11:37:46 EST 2014


Hi James,

First, thx you for your all share!

Please try with these two sigs,

first sig match /jquery on http_uri and set flowbits

second sig check flowbits before and after http reply with document.write.

Don't remember adding flowbits:noalert; on first sig if it's work ;)

alert tcp any any -> any 80 (msg:"jquery uri flowbits"; 
flow:to_server,established; content:"/jquery"; nocase; http_uri; 
flowbits:set,http.jquery; classtype:web-application-activity; sid:1; 
rev:99;) # flowbits:noalert;

alert tcp any 80 -> any any (msg:"jquery uri with document.write reply 
attempt"; flow:to_client,established; flowbits:isset,http.jquery; 
file_data; content:"document.write"; distance:0; 
classtype:web-application-activity; sid:2; rev:99;)

Best Regards
@Rmkml



On Wed, 29 Jan 2014, James Lay wrote:

> All,
>
> In looking at:
>
> http://blog.spiderlabs.com/2014/01/beware-bats-hide-in-your-jquery-.html
>
> I'm wondering if there's a way to, in plain English: "if I requested a
> jquery named file, and that file contains a document.write, then alert".
> Betting it's a flowbit thing, which I've not really used much.  Any
> good resources that could assist with something like this?  Thanks.
>
> James




More information about the Snort-sigs mailing list