[Snort-users] Snort Alert[1:16482:8]

waldo kitty wkitty42 at ...14940...
Tue Mar 26 21:44:19 EDT 2013


On 3/26/2013 11:44, Michael Steele wrote:
> Is it possible users could be spoofing their x browser to appear to be IE?

spoofing the UA would not trigger the rule in question...


/var/snort/rules/web-client.rules:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft 
Internet Explorer userdata behavior memory corruption attempt"; 
flow:to_client,established; content:"addBehavior|28|"; nocase; 
content:"|23|default|23|userData"; distance:0; nocase; 
content:"setAttribute|28|"; distance:0; nocase; 
pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi"; 
metadata:policy balanced-ips drop, policy security-ips drop, service http; 
reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182; 
classtype:attempted-user; sid:16482; rev:6;)


granted, the above is version 6 of the rule but i doubt it has changed that much 
to be UA centric... the CVE and KB probably target the specific browsers in 
their writings...




More information about the Snort-users mailing list