[Snort-users] [Emerging-Sigs] Signatures for Clients POSTing to SEO/NEOsploit Exploit Kits - Round 2

Will Metcalf william.metcalf at ...11827...
Tue Aug 10 16:52:02 EDT 2010


> if you have a normalized buffer
> why as a rule writer you should be able to di something like what Eoin
> is trying to do.
wow... what a horrible sentence... I meant...

If you have a normalized buffer as a rule writer you should be able to
do something like what Eoin is trying to do.

On Tue, Aug 10, 2010 at 3:49 PM, Will Metcalf <william.metcalf at ...11827...> wrote:
> ehhh be careful... this only works for http_uri and http_client_body
> all other http_* modifiers using distance/within fails silently....
> always... at least in my testing. Which makes me wonder why snort
> doesn't reject those rules during parsing as they will never match.
> Joel?  Also did you test these because as of 2.8.5.3 (yes I know, I
> know) this would only work if you did....
>
> content:"id="; http_client_body; content:"%26jp"; distance:32;
> classtype:bad-unknown; sid:5600099; rev:2;)
>
> leaving off the second http_client_body modifier. Otherwise it appears
> the behavior is to always in this case distance would start from the
> beginning of the normalized buffer i.e. behaves like offset.  The same
> trick works for http_uri but if the uri has to be decoded/normalized
> in anyway it will always fail.
>
> This is really annoying to me btw.  if you have a normalized buffer
> why as a rule writer you should be able to di something like what Eoin
> is trying to do.  For things where within/distance don't really make
> much of a difference I can understand read uricontent, but for things
> like http headers etc where you fingerprint things like a unique
> user-agent using within/distance and can avoid pcre why not allow this
> instead of assuming that the user "really meant" dept/offset.
>
> just my 0.02
>
> Regards,
>
> Will
>
> On Tue, Aug 10, 2010 at 2:57 PM, Eoin Miller
> <eoin.miller at ...14586...> wrote:
>>  These are better versions that should have a much lower FP rate, why I
>> didn't use the distance keyword last time? Because I am an idiot:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
>> Exploit Kit - request for PDF exploit"; flow:established,to_server;
>> content:"POST"; http_method; content:"id="; http_client_body;
>> content:"%26np"; distance:32; http_client_body; classtype:bad-unknown;
>> sid:5600099; rev:2;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
>> Exploit Kit - request for Java exploit"; flow:established,to_server;
>> content:"POST"; http_method; content:"id="; http_client_body;
>> content:"%26j"; distance:32; http_client_body; classtype:bad-unknown;
>> sid:5600100; rev:2;)
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DRIVEBY SEO
>> Exploit Kit - request for Java and PDF exploits";
>> flow:established,to_server; content:"POST"; http_method; content:"id=";
>> http_client_body; content:"%26jp"; distance:32; http_client_body;
>> classtype:bad-unknown; sid:5600101; rev:2;)
>>
>> -- Eoin
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...14333...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>
>




More information about the Snort-users mailing list