Home page logo
/

snort logo Snort mailing list archives

Re: ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 22 Oct 2010 13:59:49 -0500

And as a clarification depth fails for me relative to file_data in
2.9.0 as well. Anybody from SF able to verify this yet?  If for no
other reason than for your VRT subscribers?

#VRT rule directory
grep "file_data" *|wc -l
86

Regards,

Will

On Fri, Oct 22, 2010 at 1:23 PM, Will Metcalf <william.metcalf () gmail com> wrote:
This is completely contradictory to what is in the snort users manual,
so I wouldn't say usage isn't "neat" I would say it's usage is very
clearly defined and apparently not adhered to. Joel?

Regards,

Will

"3.5.24 file data
This option is used to place the cursor (used to walk the packet
payload in rules processing) at the beginning of either
the entity body of a HTTP response or the SMTP body data. For this
option to work with HTTP response, certain
HTTP Inspect options such as extended response inspection and inspect
gzip (for decompressed gzip data)
needs to be turned on. See 2.2.6 for more details.
When used with argument mime it places the cursor at the beginning of
the base64 decoded MIME attachment or
base64 decoded MIME body. This is dependent on the SMTP config option
enable mime decoding. See 2.2.7 for
more details.
Format
file_data;
file_data:mime;
This option matches if there is HTTP response body or SMTP body or
SMTP MIME base64 decoded data. This
option will operate similarly to the dce stub data option added with
DCE/RPC2, in that it simply sets a reference
for other relative rule options ( byte test, byte jump, pcre) to use.
This file data can point to either a file or a block
of data.
! NOTE
Multiple base64 encoded attachments in one packet are pipelined.

Example
alert tcp any 80 -> any any(msg:"foo at the start of http response body"; \
file_data; content:"foo"; nocase; within:3;)
alert tcp any any -> any any(msg:"MIME BASE64 Encoded Data";\
file_data:mime; content:"foo"; within:10;)
"

On Fri, Oct 22, 2010 at 1:04 PM, Pedro Marinho <pppmarinho () gmail com> wrote:
Will,

i tested this and does work..

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(flow:established,to_client; file_data; content:"%PDF-"; depth:5;
classtype:bad-unknown;)

i guess is possible to use depth with file_data. now i am confused.. the
snort manual is not neat about it's usage..


Message: 1
Date: Thu, 21 Oct 2010 22:20:51 -0500
From: Will Metcalf <william.metcalf () gmail com>
Subject: Re: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP
       404 XSS Attempt (External Source)
To: "Lay, James" <james.lay () wincofoods com>
Cc: "emerging-sigs () emergingthreats net"
       <Emerging-sigs () emergingthreats net>
Message-ID:
       <AANLkTinosDDspQtDjm4yPVD5RL5BEA8z0T4LgY+jf0Ay () mail gmail com>
Content-Type: text/plain; charset=ISO-8859-1

And perhaps there is a bug in file_data ;-)....  Anyway I'm disabling
this sig by default.

Regards,

Will

On Thu, Oct 21, 2010 at 5:06 PM, Will Metcalf <william.metcalf () gmail com>
wrote:
Hmmm if somebody can send a ?pcap off list that would be awesome. ?I
have tweaked the sig a bit as I believe the original intent was to
identify xss in 4xx 5xx response bodies and the conversion was borked
as file_data moves the inspection pointer similar to dce_stub_data so
the depth check is from the beginning of the payload not from the
start of file_data.

Regards,

Will

On Thu, Oct 21, 2010 at 4:33 PM, Lay, James <james.lay () wincofoods com>
wrote:


-----Original Message-----
From: emerging-sigs-bounces () emergingthreats net
[mailto:emerging-sigs-bounces () emergingthreats net] On Behalf Of Eoin
Miller
Sent: Thursday, October 21, 2010 3:20 PM
To: emerging-sigs () emergingthreats net
Subject: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404
XSS Attempt (External Source)

I am not sure if I understand the point of this signature:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Possible HTTP 404 XSS Attempt (External Source)";
flow:from_server,established; content:"404"; http_stat_code;
content:"Not Found"; nocase; http_stat_msg; file_data;
content:"<script"; nocase; depth:280; classtype:web-application-

attack;
reference:url,doc.emergingthreats.net/2010518;

reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT
/WEB_Error_XSS;
sid:2010518; rev:5;)


I'm in the same boat...hit and packet dump enclosed:

10/21-14:06:21.176785 ?[**] [1:2010518:5] ET WEB_CLIENT Possible HTTP
404 XSS Attempt (External Source) [**] [Classification: Web Application
Attack] [Priority: 1] {TCP} 97.74.57.246:80 -> 66.193.105.132:28018

14:06:21.176785 IP 97.74.57.246.80 > 66.193.105.132.28018: Flags [P.],
ack 4289524988, win 63784, length 233
? ? ? ?0x0000: ?4500 0111 5036 4000 3906 a92b 614a 39f6
E...P6 ()  9  +aJ9 
? ? ? ?0x0010: ?42c1 6984 0050 6d72 3248 898d ffac f4fc
B.i..Pmr2H......
? ? ? ?0x0020: ?5018 f928 bdcb 0000 4854 5450 2f31 2e31
P..(....HTTP/1.1
? ? ? ?0x0030: ?2034 3034 204e 6f74 2046 6f75 6e64 0d0a
.404.Not.Found..
? ? ? ?0x0040: ?4461 7465 3a20 5468 752c 2032 3120 4f63
Date:.Thu,.21.Oc
? ? ? ?0x0050: ?7420 3230 3130 2032 303a 3036 3a32 3620
t.2010.20:06:26.
? ? ? ?0x0060: ?474d 540d 0a53 6572 7665 723a 2041 7061
GMT..Server:.Apa
? ? ? ?0x0070: ?6368 650d 0a4b 6565 702d 416c 6976 653a
che..Keep-Alive:
? ? ? ?0x0080: ?2074 696d 656f 7574 3d31 352c 206d 6178
.timeout=15,.max
? ? ? ?0x0090: ?3d34 380d 0a43 6f6e 6e65 6374 696f 6e3a
=48..Connection:
? ? ? ?0x00a0: ?204b 6565 702d 416c 6976 650d 0a54 7261
.Keep-Alive..Tra
? ? ? ?0x00b0: ?6e73 6665 722d 456e 636f 6469 6e67 3a20
nsfer-Encoding:.
? ? ? ?0x00c0: ?6368 756e 6b65 640d 0a43 6f6e 7465 6e74
chunked..Content
? ? ? ?0x00d0: ?2d54 7970 653a 2074 6578 742f 6874 6d6c
-Type:.text/html
? ? ? ?0x00e0: ?3b20 6368 6172 7365 743d 7574 662d 380d
;.charset=utf-8.
? ? ? ?0x00f0: ?0a0d 0a31 3720 0d0a 3c68 313e 3430 3420
...17...<h1>404.
? ? ? ?0x0100: ?4e6f 7420 466f 756e 6421 3c2f 6831 3e0d
Not.Found!</h1>.
? ? ? ?0x0110: ?0a ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards

http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html








------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


  By Date           By Thread  

Current thread:
  • Re: ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source) Will Metcalf (Oct 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]