[Snort-users] uricontent misbehaving?

Tim Kramer kramert at ...3975...
Fri Nov 2 11:27:02 EST 2001


Dan,

The "readme.eml" rule (in this case) was probably written
in response to the Nimda worm which infects web servers so
that they have an extra line of HMTL/JavaScript code at the
bottom of the web page.  The additional code causes a new
browser window to be opened will off the visible portion of
the desktop (location 6000,6000) and to download a file
called "readme.eml".  The actual code that gets added to the
webpage looks like (without the proper JavaScript tags):

window.open("readme.eml", null, "resizable=no,top=6000,left=6000")

The act of visiting the infected website causes an additional
HTTP request.  This also makes it easy to detect (via Snort) 
and/or easy to  block (via Squid).

Hope this helps,
Tim Kramer


On Fri, 2001-11-02 at 13:21, dan.ellis at ...3983... wrote:
> Hi,
> 
> I'm not actually a snort user, but I'm trying to respond to a log I was
> sent:
> 
> Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
> Priority:8 Type:Attempted User Privilege Gain
> IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
> References: 1
> 
> which apparently came from the rule:
> 
> Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
>     (msg:"WEB-MISC readme.eml attempt"; \
>     flags:A+; uricontent:"readme.eml"; nocase; \
>     classtype:attempted-user; sid:1284; rev:3; \
>     reference:url,www.cert.org/advisories/CA-2001-26.html;)
> 
> (xxx... is our web server.)
> 
> I'm not very familiar with snort, but from what I've just read in the
> documentation the 'uricontent' bit is supposed to match only on
> the URI of requests. However, this was a response packet from our
> web server. Of course, several of our pages contain the text "readme.eml",
> but I don't see how this rule could have triggered unless it was
> mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
> been known to misbehave in this way?
> 
> Any information greatly appreaciated.
> 
> Regards,
> Dan.
> 
> 
> --
> Dan Ellis, Software Engineer                              Sophos Anti-Virus
> email: dan.ellis at ...3983...                           http://www.sophos.com
> US Support: +1 888 SOPHOS 9                     UK Support: +44 1235 559933
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list