[Emerging-Sigs] Another ASPROX Snort rule

Rodrigo Montoro(Sp0oKeR) spooker at gmail.com
Mon Jul 7 13:55:33 EDT 2008 

Hi Greg,

I agree with you about detection in both vector but  I  think  http inspect
should work  from traffic to our servers  not to another web server .

About my rule, I really didn´t look at ET rules before send this suggestion
but I have 2 points:

1-) I have two content analysis before run pcre what I think we could use 3
content and so activate pcre, I dont think it' ll bad to performance

2-) About rules to detect traffic to external http servers in MY OPINION
it's a content filtering job not an IDS . In a network with hundreds or
thousands of users how many analysis this kind of rule will performance per
second ? This I really think will be bad for snort performance.


Regards,

Rodrigo Montoro(Sp0oKeR)

On Mon, Jul 7, 2008 at 2:04 PM, Greg Martin <gregm at econet.com> wrote:

> Rodrigo,
>
> The Injection attack is only how the ngg.js malware links are planted
> on trusted sites, once a site is compromised any visitors who access
> the ngg.js could potentially be compromised. This means you need
> detection for both attack vectors... one to protect the ASP sites and
> another to protect client browsers.
>
> FYI the following simple rules which has been in ET for a few weeks
> catch the SQL injection you are referring to already:
>
> #by Adam Pointon from SentinelSecurity.com.au
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB
> Possible SQL Injection (varchar)"; flow:established,to_server;
> uricontent: "varchar("; nocase; classtype:attempted-admin; sid:
> 2008175; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB
> Possible SQL (exec)"; flow:established,to_server; uricontent: "exec(";
> nocase; classtype:attempted-admin; sid:2008176; rev:1;)
>
>
> As for the javascript filename changing,  it seems to be a slow rate
> so far (months).  Best we can do is continue to update and deprecate
> rules as necessary.   As for concatenating them into one rule, I
> despise using pcre for that stuff because of the overhead on snort.
>
> -Greg
>
> http://infosec20.blogspot.com
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>



-- 
===========================
Rodrigo Montoro (Sp0oKeR)
Security Analyst
SnortCP / RHCE / LPIC-I / MCSO
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080707/8c97c931/attachment-0001.html

More information about the Emerging-sigs mailing list