[Snort-sigs] FP on 31977?

Weir, Jason jason.weir at ...3410...
Mon Mar 16 10:07:03 EDT 2015


Getting hits on 31977 via the GET below - I believe they are false.

GET /services/obituaries.ashx?IncludeSidebar=0&Name=Debra Jones Obituary&String=r. Memorial Home, Franklin-Tilton Road, 584 West Main St., in Tilton. Deb's family requests that those wishing, may make contributions in her name to ;(function() { var adKeyValue = 't='; adKeyValue                += escape('clio=MAW'); adKeyValue += escape('&cobrand=concordmonitor'); adKeyValue += escape('&linktext=The Make-A-Wish Foundation'); adKeyValue += escape('&linkurl=http://ad.doubleclick.net/ddm/clk/286988598%3B113956851%3Bl'); adKeyValue += escape('&fn=Debra'); adKeyValue += escape('&ln=Jones'); var adClkUrl = 'http://pubads.g.doubleclick.net/gampad/jump?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&' + adKeyValue + '&sz=1x1&c=537810296'; var adImpUrl = 'http://pubads.g.doubleclick.net/gampad/ad?iu=/423686928/prod/obit-aff/obit-standard/clio-inline-1&' + adKeyValue + '&sz=1x1&c=537810296'; document.write(" The Make-A-Wish Foundation "); }()); The Make-A-Wish Foundation of New Hampshire, 814 Elm St., Suite 300, Manchester, NH 03101. For more information go to smartfuneralhome.com.&location=http://www.legacy.com/obituaries/concordmonitor/obituary.aspx?n=debra-ann-jones-ross&pid=174389739&fhid=13973&randomlabel=ga38770210180839515&published=Sat Mar 14 2015 00:00:00 GMT-0400 (Eastern Daylight Time) HTTP/1.1

Looks like the function() { is what is triggering the rule.

Current rule

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4;)

Will adding content:!" function() " break things?

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:!" function() "; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;)

Jason

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150316/48c380f3/attachment.html>


More information about the Snort-sigs mailing list