[Snort-users] [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2

Will Metcalf william.metcalf at ...11827...
Tue Aug 10 16:49:02 EDT 2010


ehhh be careful... this only works for http_uri and http_client_body
all other http_* modifiers using distance/within fails silently....
always... at least in my testing. Which makes me wonder why snort
doesn't reject those rules during parsing as they will never match.
Joel?  Also did you test these because as of 2.8.5.3 (yes I know, I
know) this would only work if you did....

content:"id="; http_client_body; content:"%26jp"; distance:32;
classtype:bad-unknown; sid:5600099; rev:2;)

leaving off the second http_client_body modifier. Otherwise it appears
the behavior is to always in this case distance would start from the
beginning of the normalized buffer i.e. behaves like offset.  The same
trick works for http_uri but if the uri has to be decoded/normalized
in anyway it will always fail.

This is really annoying to me btw.  if you have a normalized buffer
why as a rule writer you should be able to di something like what Eoin
is trying to do.  For things where within/distance don't really make
much of a difference I can understand read uricontent, but for things
like http headers etc where you fingerprint things like a unique
user-agent using within/distance and can avoid pcre why not allow this
instead of assuming that the user "really meant" dept/offset.

just my 0.02

Regards,

Will

On Tue, Aug 10, 2010 at 2:57 PM, Eoin Miller
<eoin.miller at ...14586...> wrote:
>  These are better versions that should have a much lower FP rate, why I
> didn't use the distance keyword last time? Because I am an idiot:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
> Exploit Kit - request for PDF exploit"; flow:established,to_server;
> content:"POST"; http_method; content:"id="; http_client_body;
> content:"%26np"; distance:32; http_client_body; classtype:bad-unknown;
> sid:5600099; rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
> Exploit Kit - request for Java exploit"; flow:established,to_server;
> content:"POST"; http_method; content:"id="; http_client_body;
> content:"%26j"; distance:32; http_client_body; classtype:bad-unknown;
> sid:5600100; rev:2;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
> Exploit Kit - request for Java and PDF exploits";
> flow:established,to_server; content:"POST"; http_method; content:"id=";
> http_client_body; content:"%26jp"; distance:32; http_client_body;
> classtype:bad-unknown; sid:5600101; rev:2;)
>
> -- Eoin
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...14333...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>




More information about the Snort-users mailing list