Home page logo
/

snort logo Snort mailing list archives

Re: Linking this with that to create an alert
From: rmkml <rmkml () yahoo fr>
Date: Wed, 29 Jan 2014 17:37:46 +0100 (CET)

Hi James,

First, thx you for your all share!

Please try with these two sigs,

first sig match /jquery on http_uri and set flowbits

second sig check flowbits before and after http reply with document.write.

Don't remember adding flowbits:noalert; on first sig if it's work ;)

alert tcp any any -> any 80 (msg:"jquery uri flowbits"; 
flow:to_server,established; content:"/jquery"; nocase; http_uri; 
flowbits:set,http.jquery; classtype:web-application-activity; sid:1; 
rev:99;) # flowbits:noalert;

alert tcp any 80 -> any any (msg:"jquery uri with document.write reply 
attempt"; flow:to_client,established; flowbits:isset,http.jquery; 
file_data; content:"document.write"; distance:0; 
classtype:web-application-activity; sid:2; rev:99;)

Best Regards
@Rmkml



On Wed, 29 Jan 2014, James Lay wrote:

All,

In looking at:

http://blog.spiderlabs.com/2014/01/beware-bats-hide-in-your-jquery-.html

I'm wondering if there's a way to, in plain English: "if I requested a
jquery named file, and that file contains a document.write, then alert".
Betting it's a flowbit thing, which I've not really used much.  Any
good resources that could assist with something like this?  Thanks.

James

------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable 
security intelligence. It gives you real-time visual feedback on key
security issues and trends.  Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]