[Snort-sigs] New sig for detecting audit SVG Files contains JavaScript (possible Malicious)

rmkml rmkml at ...4129...
Wed Jan 25 15:28:40 EST 2017


Hi,

First, Thx ISC Sans for sharing recent Malicious SVG Files,

Please check two new sigs for detecting audit SVG Files contains JavaScript (possible Malicious):

First sig detect SVG files:
-it's a first public version, another check is possible like Content-Type...
-check if you don't have existing SVG flowbits on your ruleset...
-enhance with regex for reduce possible FP...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Svg flowbits noalert"; flow:to_server,established; content:".svg"; nocase;
http_uri; flowbits:set,http.svgfound; flowbits:noalert; classtype:web-application-activity; sid:1; rev:1; )

Second sig detect audit :

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Svg contains possible JavaScript attempt"; flow:to_client,established;
flowbits:isset,http.svgfound; file_data; content:"svg"; nocase; distance:0; content:"script"; nocase; distance:0;
pcre:"/(?:\<|\%3c)svg\b.*?(?:\<|\%3c)script\b/si";
reference:url,isc.sans.edu/forums/diary/Malicious+SVG+Files+in+the+Wild/21971/;
classtype:attempted-user; sid:2; rev:1; )

Don't forget check variables.

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list