[Emerging-Sigs] Another ASPROX Snort rule
Greg Martin
gregm at econet.com
Mon Jul 7 13:04:23 EDT 2008
Rodrigo,
The Injection attack is only how the ngg.js malware links are planted
on trusted sites, once a site is compromised any visitors who access
the ngg.js could potentially be compromised. This means you need
detection for both attack vectors... one to protect the ASP sites and
another to protect client browsers.
FYI the following simple rules which has been in ET for a few weeks
catch the SQL injection you are referring to already:
#by Adam Pointon from SentinelSecurity.com.au
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB
Possible SQL Injection (varchar)"; flow:established,to_server;
uricontent: "varchar("; nocase; classtype:attempted-admin; sid:
2008175; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB
Possible SQL (exec)"; flow:established,to_server; uricontent: "exec(";
nocase; classtype:attempted-admin; sid:2008176; rev:1;)
As for the javascript filename changing, it seems to be a slow rate
so far (months). Best we can do is continue to update and deprecate
rules as necessary. As for concatenating them into one rule, I
despise using pcre for that stuff because of the overhead on snort.
-Greg
http://infosec20.blogspot.com
More information about the Emerging-sigs
mailing list