[Snort-sigs] New sig for detecting audit SVG Files contains JavaScript (possible Malicious)

rmkml rmkml at ...4129...
Wed Jan 25 15:28:40 EST 2017


First, Thx ISC Sans for sharing recent Malicious SVG Files,

Please check two new sigs for detecting audit SVG Files contains JavaScript (possible Malicious):

First sig detect SVG files:
-it's a first public version, another check is possible like Content-Type...
-check if you don't have existing SVG flowbits on your ruleset...
-enhance with regex for reduce possible FP...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC Svg flowbits noalert"; flow:to_server,established; content:".svg"; nocase;
http_uri; flowbits:set,http.svgfound; flowbits:noalert; classtype:web-application-activity; sid:1; rev:1; )

Second sig detect audit :

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Svg contains possible JavaScript attempt"; flow:to_client,established;
flowbits:isset,http.svgfound; file_data; content:"svg"; nocase; distance:0; content:"script"; nocase; distance:0;
classtype:attempted-user; sid:2; rev:1; )

Don't forget check variables.

Please send any comments.


More information about the Snort-sigs mailing list