Home page logo

snort logo Snort mailing list archives

Re: Linking this with that to create an alert
From: rmkml <rmkml () yahoo fr>
Date: Wed, 29 Jan 2014 17:37:46 +0100 (CET)

Hi James,

First, thx you for your all share!

Please try with these two sigs,

first sig match /jquery on http_uri and set flowbits

second sig check flowbits before and after http reply with document.write.

Don't remember adding flowbits:noalert; on first sig if it's work ;)

alert tcp any any -> any 80 (msg:"jquery uri flowbits"; 
flow:to_server,established; content:"/jquery"; nocase; http_uri; 
flowbits:set,http.jquery; classtype:web-application-activity; sid:1; 
rev:99;) # flowbits:noalert;

alert tcp any 80 -> any any (msg:"jquery uri with document.write reply 
attempt"; flow:to_client,established; flowbits:isset,http.jquery; 
file_data; content:"document.write"; distance:0; 
classtype:web-application-activity; sid:2; rev:99;)

Best Regards

On Wed, 29 Jan 2014, James Lay wrote:


In looking at:


I'm wondering if there's a way to, in plain English: "if I requested a
jquery named file, and that file contains a document.write, then alert".
Betting it's a flowbit thing, which I've not really used much.  Any
good resources that could assist with something like this?  Thanks.


WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]