<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Oh, and that being said, this is a vulnerability against IE6 from October of 2004 that had to do with large Iframes.  If you are not running IE6 or have patched it since 2004, feel free to disable this rule.<div><br></div><div><div>--</div><div>Joel Esler</div><div>Senior Research Engineer, VRT</div><div>OpenSource Community Manager</div><div>Sourcefire</div><div><br></div><div><div>On Feb 20, 2012, at 9:40 AM, Joel Esler wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Discussion of VRT rules belongs on the Snort-sigs list.  Cc'ed here.<div><br></div><div>J</div><div><br><div><div>On Feb 20, 2012, at 9:16 AM, Balasubramaniam Natarajan wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">I am hitting on False positive for the rule on visiting Yahoo.<br><br>web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt"; flow:to_client,established; file_data; content:"<IFRAME "; nocase; pcre:"/<IFRAME\s+[^>]*?src\s*=\s*(\x22|\x27|)[^\x22\x27\s>]{400}/smi"; metadata:policy security-ips drop; reference:bugtraq,11515; reference:cve,2004-1050; classtype:attempted-user; sid:15147; rev:7;)<br>
<br><br><table bgcolor="#FFFFFF" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td class="plfieldhdr"> ID </td>
    <td class="plfieldhdr"> <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=sig_a"><</a> Signature <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=sig_d">></a> </td>

    <td class="plfieldhdr"> <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=time_a"><</a> Timestamp <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=time_d">></a> </td>

    <td class="plfieldhdr"> <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=sip_a"><</a> Source Address <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=sip_d">></a> </td>

    <td class="plfieldhdr"> <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=dip_a"><</a> Dest. Address <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=dip_d">></a> </td>

    <td class="plfieldhdr"> <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=proto_a"><</a> Layer 4 Proto <a href="http://bodhidarmar/base/base_qry_main.php?caller=&num_result_rows=2&current_view=0&sort_order=proto_d">></a> </td>

   </tr>
<tr bgcolor="#DDDDDD"><td align="center" valign="top">
  <input name="action_chk_lst[0]" value="#0-(5-49715)" type="checkbox">
</td>

    <td align="center" valign="top">
  <a href="http://bodhidarmar/base/base_qry_alert.php?submit=%230-%285-49715%29&sort_order=">#0-(5-49715)</a>
</td>

<td align="left" valign="top">
  <font size="-1">[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1050" target="_ACID_ALERT_DESC">cve</a>]</font> <font size="-1">[<a href="http://icat.nist.gov/icat.cfm?cvename=CAN-2004-1050" target="_ACID_ALERT_DESC">icat</a>]</font> <font size="-1">[<a href="http://www.securityfocus.com/bid/11515" target="_ACID_ALERT_DESC">bugtraq</a>]</font> <font size="-1">[<a href="http://www.snort.org/search/sid/1-15147" target="_ACID_ALERT_DESC">snort</a>]</font>  WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt
</td>

<td align="center" valign="top">
  2012-02-20 08:47:05
</td>

<td align="center" valign="top">
  <a href="http://bodhidarmar/base/base_stat_ipaddr.php?ip=202.43.205.15&netmask=32">202.43.205.15</a><font size="-1">:80</font>
</td>

<td align="center" valign="top">
  <a href="http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32">192.168.56.1</a><font size="-1">:44895</font>
</td>

<td align="center" valign="top">
  <font>TCP</font>
</td>

</tr><tr bgcolor="#FFFFFF"><td align="center" valign="top">
  <input name="action_chk_lst[1]" value="#1-(5-49712)" type="checkbox">
</td>

    <td align="center" valign="top">
  <a href="http://bodhidarmar/base/base_qry_alert.php?submit=%231-%285-49712%29&sort_order=">#1-(5-49712)</a>
</td>

<td align="left" valign="top">
  <font size="-1">[<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1050" target="_ACID_ALERT_DESC">cve</a>]</font> <font size="-1">[<a href="http://icat.nist.gov/icat.cfm?cvename=CAN-2004-1050" target="_ACID_ALERT_DESC">icat</a>]</font> <font size="-1">[<a href="http://www.securityfocus.com/bid/11515" target="_ACID_ALERT_DESC">bugtraq</a>]</font> <font size="-1">[<a href="http://www.snort.org/search/sid/1-15147" target="_ACID_ALERT_DESC">snort</a>]</font>  WEB-CLIENT Microsoft Internet Explorer malformed iframe buffer overflow attempt
</td>

<td align="center" valign="top">
  2012-02-20 08:46:57
</td>

<td align="center" valign="top">
  <a href="http://bodhidarmar/base/base_stat_ipaddr.php?ip=202.43.205.15&netmask=32">202.43.205.15</a><font size="-1">:80</font>
</td>

<td align="center" valign="top">
  <a href="http://bodhidarmar/base/base_stat_ipaddr.php?ip=192.168.56.1&netmask32">192.168.56.1</a><font size="-1">:44895</font>
</td>

<td align="center" valign="top">
  <font>TCP</font></td></tr></tbody></table><br><br><pre>HTTP/1.1 200 OK<div class="nonascii">[2 non-ASCII characters]</div>Date: Mon, 20 Feb 2012 03:17:05 GMT<div class="nonascii">[2 non-ASCII characters]</div>Server: YTS/1.19.8<div class="nonascii">
[2 non-ASCII characters]</div>P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"<div class="nonascii">[2 non-ASCII characters]</div>X-RightMedia-Hostname: raptor0122.rm.sg1<div class="nonascii">
[2 non-ASCII characters]</div>Set-Cookie: ih="b!!!!'!%LG<!!!!$=L4W2!6W'N!!!!#=L4WL!8*(,!!!!(=L4WC!8Z^O!!!!#=L4W>"; path=/; expires=Wed, 19-Feb-2014 03:17:05 GMT<div class="nonascii">[2 non-ASCII characters]</div>
Set-Cookie: vuday1=n#C*yNHRYlrlkFu; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT<div class="nonascii">[2 non-ASCII characters]</div>Set-Cookie: BX=2pd19b17k3emo&b=4&d=i2aiwllpYF7d6BH6.kz_MpCsjVlXT83h9Z7ikDQ-&s=ri&i=b8OZS4VeRPGQ&t=50; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT<div class="nonascii">
[2 non-ASCII characters]</div>Set-Cookie: liday1=nfg#QNHRYlV!-@...3633...; path=/; expires=Tue, 21-Feb-2012 00:00:00 GMT<div class="nonascii">[2 non-ASCII characters]</div>Cache-Control: no-store<div class="nonascii">[2 non-ASCII characters]</div>
Last-Modified: Mon, 20 Feb 2012 03:17:05 GMT<div class="nonascii">[2 non-ASCII characters]</div>Pragma: no-cache<div class="nonascii">[2 non-ASCII characters]</div>Content-Type: text/html<div class="nonascii">[2 non-ASCII characters]</div>
Age: 0<div class="nonascii">[2 non-ASCII characters]</div>Transfer-Encoding: chunked<div class="nonascii">[2 non-ASCII characters]</div>Connection: keep-alive<div class="nonascii">[4 non-ASCII characters]</div>493<div class="nonascii">
[2 non-ASCII characters]</div><html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(12037232);}<br>
</script><!-- RMX,yatranua/160x600_flash/160x600 (creativeId 76dab21a1fedf670149b12fc6064dd5e), created at Mon Nov 21 2011 15:42:54 GMT+0800 (Taipei Standard Time) --><div class="nonascii">[2 non-ASCII characters]</div>
<iframe src="<a href="http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C">http://tm.ap.dp.yieldmanager.net/TagMonkey?adId=yatranua&creativeId=76dab21a1fedf670149b12fc6064dd5e&size=160x600&format=code&adx=rm&B=10&S=14981788&Z=160x600&_salt=2331634807&cb=1329707824465924&i=302928&p=1&r=0&u=http://l.yimg.com/d/lib/darla/2-2-5/html/ext-render-secure.html&ycg=m&ypos=SKY&yprop=inmailneo&yrc=in&yyob=1985&cb=1329707825&clickTag0=http%3A%2F%2Fad%2Eyieldmanager%2Ecom%2Fclk%3F3%2CeAGlTctugzAQ%2EJrcADkYiCOrB4NDFAVQSd1Izc0Y8yapXCoavr4mtP2BjlY7j5Vm1xAXGykEKICT5RuPcw%2DvobtFAkIkkAEwxjYCCHpo6xiOfwhI0jbH1B9VJMgDdNwfx0WSklRZeVvMM5o5CMSJ03KJnD51FvXf7afXMf0pORD99wFvKmhPX%2E2%2Ednpu46l1L4zcI3auk2k3xCzs4hfgJvtTG7EdfGNhHTMxXZqqiX8rCXkyjGoY3leQrOxQT2fd6760xK3XJp%2DDOpsVVx3XbJu26Wquhr7TJL8GU8lrLpX5IcWnktZ8%2DAbMQGn2%2C</a>" frameborder="0" scrolling="no" width="160" height="600"></iframe></body></html><div class="nonascii">
[3 non-ASCII characters]</div>0<div class="nonascii">[3 non-ASCII characters]</div></pre>I believe that this is a VRT rule and do let me know if I can discuss about those here, I don't want to break some rules of this mailing list.<br clear="all">
<br>-- <br>Regards,<br>Balasubramaniam Natarajan<br><a href="http://www.etutorshop.com/moodle/" target="_blank">www.etutorshop.com/moodle/</a><br><br>
_______________________________________________<br>Emerging-sigs mailing list<br><a href="mailto:Emerging-sigs@...3335...">Emerging-sigs@...3335...</a><br><a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br><br>Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com<br>The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!</blockquote></div><br></div></div></blockquote></div><br></div></body></html>