'Re: [Snort-sigs] Linking this with that to create an alert'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Linking this with that to create an alert
From:       James Lay <jlay () slave-tothe-box ! net>
Date:       2014-01-29 16:46:51
Message-ID: c51970ac2316d356bff269e98e552cd1 () localhost
[Download RAW message or body]

On 2014-01-29 09:37, rmkml wrote:
> Hi James,
>
> First, thx you for your all share!
>
> Please try with these two sigs,
>
> first sig match /jquery on http_uri and set flowbits
>
> second sig check flowbits before and after http reply with 
> document.write.
>
> Don't remember adding flowbits:noalert; on first sig if it's work ;)
>
> alert tcp any any -> any 80 (msg:"jquery uri flowbits";
> flow:to_server,established; content:"/jquery"; nocase; http_uri;
> flowbits:set,http.jquery; classtype:web-application-activity; sid:1;
> rev:99;) # flowbits:noalert;
>
> alert tcp any 80 -> any any (msg:"jquery uri with document.write
> reply attempt"; flow:to_client,established;
> flowbits:isset,http.jquery; file_data; content:"document.write";
> distance:0; classtype:web-application-activity; sid:2; rev:99;)
>
> Best Regards
> @Rmkml
>
>
>
> On Wed, 29 Jan 2014, James Lay wrote:
>
>> All,
>>
>> In looking at:
>>
>> 
>> http://blog.spiderlabs.com/2014/01/beware-bats-hide-in-your-jquery-.html
>>
>> I'm wondering if there's a way to, in plain English: "if I requested 
>> a
>> jquery named file, and that file contains a document.write, then 
>> alert".
>> Betting it's a flowbit thing, which I've not really used much.  Any
>> good resources that could assist with something like this?  Thanks.
>>
>> James

Thanks RM...I'll give these a go in a bit and report my findings :)

James

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic