[Snort-users] How much of a stream(javascript) is actually blocked on event?

Joel Esler (jesler) jesler at ...589...
Mon Jan 27 21:46:01 EST 2014


On Jan 27, 2014, at 7:47 PM, waldo kitty <wkitty42 at ...14940...<mailto:wkitty42 at ...14940...>> wrote:

On 1/27/2014 12:59 PM, Lil Evil wrote:
Now, if I download the URL from a linux client with wget the javascript is being
downloaded until the comment is reached and then it ll stop further downloading
and hangs.

However, a considerable amount of the javascript is already being downloaded
until the comment section is reached. I do not know how much of this javascript
is being executed, or any at all, but my expectation would be that the complete
stream would be blocked.

a block or alert can't be initiated until a match has been made ;)

And Javascript can’t partially execute.  All the code has to be there.

But your display says that not all the code makes it, and the traffic is dropped.  That being said, that rule is simply looking for a comment on a page.  There are lots of these types of comments, not exactly sure what they are attributed to.

However, theory is that they belong to a tool called “iFRAMER”.  (Best resource I can give you is this:  http://malware.dontneedcoffee.com/2013/09/cookie-bomb-iframer-way.html )  Sometimes the comments are removed when the iframe is cleaned up, sometimes they aren’t.

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140128/0cf133b6/attachment.html>


More information about the Snort-users mailing list