[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Signatures
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2008-06-23 23:19:15
Message-ID: 48602F73.6050502 () jonkmans ! com
[Download RAW message or body]

Sconzo, Michael wrote:
> I put these together, maybe somebody will find them useful.
> 
> The first one:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "iframe in
> image file"; flow: from_server,established;
> pcre:"/content-type\:\s+image\/(jpeg|gif|png)/im";
> pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; classtype:
> web-application-attack; rev:1; sid:3000000;)

Put this in current_events, and cut it into 3 sigs to get a good anchor 
before the pcre's:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
CURRENT_EVENTS Iframe in Purported Image Download (jpeg) -- Likely SQL 
Injection Attacks Related"; flow:established,from_server; content:"|0d 
0a|content-type\: "; nocase; content:" image/jpeg"; nocase; distance:0; 
within:30; content:"<iframe"; nocase; distance:0; 
pcre:"/content-type\:\s+image\/jpeg/im"; 
pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; 
classtype:web-application-attack; sid:2008313; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
CURRENT_EVENTS Iframe in Purported Image Download (gif) -- Likely SQL 
Injection Attacks Related"; flow:established,from_server; content:"|0d 
0a|content-type\: "; nocase; content:" image/gif"; nocase; distance:0; 
within:30; content:"<iframe"; nocase; distance:0; 
pcre:"/content-type\:\s+image\/gif/im"; 
pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; 
classtype:web-application-attack; sid:2008314; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
CURRENT_EVENTS Iframe in Purported Image Download (png) -- Likely SQL 
Injection Attacks Related"; flow:established,from_server; content:"|0d 
0a|content-type\: "; nocase; content:" image/png"; nocase; distance:0; 
within:30; content:"<iframe"; nocase; distance:0; 
pcre:"/content-type\:\s+image\/png/im"; 
pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; 
classtype:web-application-attack; sid:2008315; rev:1;)

> The second one:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible
> harmful site - request b.js"; flow:established,to_server;
> uricontent:"b.js"; classtype:web-application-attack; rev:1;
> sid:3000001;)

Added a leading /, but also in current_events.

Thanks Mike!!

Matt

> 
> is along the same lines, except this looks for a client request for b.js
> that seems to indicate that a client is following an injected iframe to
> some malicious code.
> 
> Any and all feedback is welcome.
> -=Mike
> 
> ---
> Mike Sconzo <msconzo at ercot.com>
> ERCOT Security Operations
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic