[Snort-sigs] Linking this with that to create an alert

James Lay jlay at ...3266...
Wed Jan 29 11:46:51 EST 2014


On 2014-01-29 09:37, rmkml wrote:
> Hi James,
>
> First, thx you for your all share!
>
> Please try with these two sigs,
>
> first sig match /jquery on http_uri and set flowbits
>
> second sig check flowbits before and after http reply with 
> document.write.
>
> Don't remember adding flowbits:noalert; on first sig if it's work ;)
>
> alert tcp any any -> any 80 (msg:"jquery uri flowbits";
> flow:to_server,established; content:"/jquery"; nocase; http_uri;
> flowbits:set,http.jquery; classtype:web-application-activity; sid:1;
> rev:99;) # flowbits:noalert;
>
> alert tcp any 80 -> any any (msg:"jquery uri with document.write
> reply attempt"; flow:to_client,established;
> flowbits:isset,http.jquery; file_data; content:"document.write";
> distance:0; classtype:web-application-activity; sid:2; rev:99;)
>
> Best Regards
> @Rmkml
>
>
>
> On Wed, 29 Jan 2014, James Lay wrote:
>
>> All,
>>
>> In looking at:
>>
>> 
>> http://blog.spiderlabs.com/2014/01/beware-bats-hide-in-your-jquery-.html
>>
>> I'm wondering if there's a way to, in plain English: "if I requested 
>> a
>> jquery named file, and that file contains a document.write, then 
>> alert".
>> Betting it's a flowbit thing, which I've not really used much.  Any
>> good resources that could assist with something like this?  Thanks.
>>
>> James

Thanks RM...I'll give these a go in a bit and report my findings :)

James




More information about the Snort-sigs mailing list