[Snort-users] Snort Alert[1:16482:8]

Alex Kirk akirk at ...1935...
Tue Mar 26 21:52:53 EDT 2013


This is a client side bug that was exploited in the wild a lot. You're
probably seeing old sites looking for unpatched browsers; if you're
confident you have no vulnerable IE running around, you're fine, and this
is just noise for you - though not a false positive, per se.
On Mar 26, 2013 9:48 PM, "waldo kitty" <wkitty42 at ...14940...> wrote:

> On 3/26/2013 11:44, Michael Steele wrote:
> > Is it possible users could be spoofing their x browser to appear to be
> IE?
>
> spoofing the UA would not trigger the rule in question...
>
>
> /var/snort/rules/web-client.rules:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Microsoft
> Internet Explorer userdata behavior memory corruption attempt";
> flow:to_client,established; content:"addBehavior|28|"; nocase;
> content:"|23|default|23|userData"; distance:0; nocase;
> content:"setAttribute|28|"; distance:0; nocase;
>
> pcre:"/(?P<obj>[A-Z\d_]+)\.addBehavior\x28(?P<q1>\x22|\x27|)[^\x29]*\x23default\x23userData(?P=q1)\x29.*?(?P=obj)\.setAttribute\x28[^,]+,\s*[A-Z]/smi";
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:cve,2010-0806; reference:url,support.microsoft.com/kb/980182;
> classtype:attempted-user; sid:16482; rev:6;)
>
>
> granted, the above is version 6 of the rule but i doubt it has changed
> that much
> to be UA centric... the CVE and KB probably target the specific browsers in
> their writings...
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130326/371607a8/attachment.html>


More information about the Snort-users mailing list