[Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)

Lay, James james.lay at wincofoods.com
Thu Oct 21 17:33:57 EDT 2010



-----Original Message-----
From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Eoin
Miller
Sent: Thursday, October 21, 2010 3:20 PM
To: emerging-sigs at emergingthreats.net
Subject: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404
XSS Attempt (External Source)

I am not sure if I understand the point of this signature:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Possible HTTP 404 XSS Attempt (External Source)";
flow:from_server,established; content:"404"; http_stat_code;
content:"Not Found"; nocase; http_stat_msg; file_data;
content:"<script"; nocase; depth:280; classtype:web-application-attack;
reference:url,doc.emergingthreats.net/2010518;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT
/WEB_Error_XSS;
sid:2010518; rev:5;)


I'm in the same boat...hit and packet dump enclosed:

10/21-14:06:21.176785  [**] [1:2010518:5] ET WEB_CLIENT Possible HTTP
404 XSS Attempt (External Source) [**] [Classification: Web Application
Attack] [Priority: 1] {TCP} 97.74.57.246:80 -> 66.193.105.132:28018

14:06:21.176785 IP 97.74.57.246.80 > 66.193.105.132.28018: Flags [P.],
ack 4289524988, win 63784, length 233
        0x0000:  4500 0111 5036 4000 3906 a92b 614a 39f6
E...P6 at .9..+aJ9.
        0x0010:  42c1 6984 0050 6d72 3248 898d ffac f4fc
B.i..Pmr2H......
        0x0020:  5018 f928 bdcb 0000 4854 5450 2f31 2e31
P..(....HTTP/1.1
        0x0030:  2034 3034 204e 6f74 2046 6f75 6e64 0d0a
.404.Not.Found..
        0x0040:  4461 7465 3a20 5468 752c 2032 3120 4f63
Date:.Thu,.21.Oc
        0x0050:  7420 3230 3130 2032 303a 3036 3a32 3620
t.2010.20:06:26.
        0x0060:  474d 540d 0a53 6572 7665 723a 2041 7061
GMT..Server:.Apa
        0x0070:  6368 650d 0a4b 6565 702d 416c 6976 653a
che..Keep-Alive:
        0x0080:  2074 696d 656f 7574 3d31 352c 206d 6178
.timeout=15,.max
        0x0090:  3d34 380d 0a43 6f6e 6e65 6374 696f 6e3a
=48..Connection:
        0x00a0:  204b 6565 702d 416c 6976 650d 0a54 7261
.Keep-Alive..Tra
        0x00b0:  6e73 6665 722d 456e 636f 6469 6e67 3a20
nsfer-Encoding:.
        0x00c0:  6368 756e 6b65 640d 0a43 6f6e 7465 6e74
chunked..Content
        0x00d0:  2d54 7970 653a 2074 6578 742f 6874 6d6c
-Type:.text/html
        0x00e0:  3b20 6368 6172 7365 743d 7574 662d 380d
;.charset=utf-8.
        0x00f0:  0a0d 0a31 3720 0d0a 3c68 313e 3430 3420
...17...<h1>404.
        0x0100:  4e6f 7420 466f 756e 6421 3c2f 6831 3e0d
Not.Found!</h1>.
        0x0110:  0a                                       .




More information about the Emerging-sigs mailing list