[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Signatures
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2008-06-23 23:19:15
Message-ID: 48602F73.6050502 () jonkmans ! com
[Download RAW message or body]
Sconzo, Michael wrote:
> I put these together, maybe somebody will find them useful.
>
> The first one:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "iframe in
> image file"; flow: from_server,established;
> pcre:"/content-type\:\s+image\/(jpeg|gif|png)/im";
> pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; classtype:
> web-application-attack; rev:1; sid:3000000;)
Put this in current_events, and cut it into 3 sigs to get a good anchor
before the pcre's:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Iframe in Purported Image Download (jpeg) -- Likely SQL
Injection Attacks Related"; flow:established,from_server; content:"|0d
0a|content-type\: "; nocase; content:" image/jpeg"; nocase; distance:0;
within:30; content:"<iframe"; nocase; distance:0;
pcre:"/content-type\:\s+image\/jpeg/im";
pcre:"/<iframe.*?src.*?>.*?</iframe>/im";
classtype:web-application-attack; sid:2008313; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Iframe in Purported Image Download (gif) -- Likely SQL
Injection Attacks Related"; flow:established,from_server; content:"|0d
0a|content-type\: "; nocase; content:" image/gif"; nocase; distance:0;
within:30; content:"<iframe"; nocase; distance:0;
pcre:"/content-type\:\s+image\/gif/im";
pcre:"/<iframe.*?src.*?>.*?</iframe>/im";
classtype:web-application-attack; sid:2008314; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Iframe in Purported Image Download (png) -- Likely SQL
Injection Attacks Related"; flow:established,from_server; content:"|0d
0a|content-type\: "; nocase; content:" image/png"; nocase; distance:0;
within:30; content:"<iframe"; nocase; distance:0;
pcre:"/content-type\:\s+image\/png/im";
pcre:"/<iframe.*?src.*?>.*?</iframe>/im";
classtype:web-application-attack; sid:2008315; rev:1;)
> The second one:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
> harmful site - request b.js"; flow:established,to_server;
> uricontent:"b.js"; classtype:web-application-attack; rev:1;
> sid:3000001;)
Added a leading /, but also in current_events.
Thanks Mike!!
Matt
>
> is along the same lines, except this looks for a client request for b.js
> that seems to indicate that a client is following an injected iframe to
> some malicious code.
>
> Any and all feedback is welcome.
> -=Mike
>
> ---
> Mike Sconzo <msconzo at ercot.com>
> ERCOT Security Operations
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic