[Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)

Will Metcalf william.metcalf at gmail.com
Thu Oct 21 18:06:20 EDT 2010


Hmmm if somebody can send a  pcap off list that would be awesome.  I
have tweaked the sig a bit as I believe the original intent was to
identify xss in 4xx 5xx response bodies and the conversion was borked
as file_data moves the inspection pointer similar to dce_stub_data so
the depth check is from the beginning of the payload not from the
start of file_data.

Regards,

Will

On Thu, Oct 21, 2010 at 4:33 PM, Lay, James <james.lay at wincofoods.com> wrote:
>
>
> -----Original Message-----
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Eoin
> Miller
> Sent: Thursday, October 21, 2010 3:20 PM
> To: emerging-sigs at emergingthreats.net
> Subject: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404
> XSS Attempt (External Source)
>
> I am not sure if I understand the point of this signature:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
> Possible HTTP 404 XSS Attempt (External Source)";
> flow:from_server,established; content:"404"; http_stat_code;
> content:"Not Found"; nocase; http_stat_msg; file_data;
> content:"<script"; nocase; depth:280; classtype:web-application-attack;
> reference:url,doc.emergingthreats.net/2010518;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT
> /WEB_Error_XSS;
> sid:2010518; rev:5;)
>
>
> I'm in the same boat...hit and packet dump enclosed:
>
> 10/21-14:06:21.176785  [**] [1:2010518:5] ET WEB_CLIENT Possible HTTP
> 404 XSS Attempt (External Source) [**] [Classification: Web Application
> Attack] [Priority: 1] {TCP} 97.74.57.246:80 -> 66.193.105.132:28018
>
> 14:06:21.176785 IP 97.74.57.246.80 > 66.193.105.132.28018: Flags [P.],
> ack 4289524988, win 63784, length 233
>        0x0000:  4500 0111 5036 4000 3906 a92b 614a 39f6
> E...P6 at .9..+aJ9.
>        0x0010:  42c1 6984 0050 6d72 3248 898d ffac f4fc
> B.i..Pmr2H......
>        0x0020:  5018 f928 bdcb 0000 4854 5450 2f31 2e31
> P..(....HTTP/1.1
>        0x0030:  2034 3034 204e 6f74 2046 6f75 6e64 0d0a
> .404.Not.Found..
>        0x0040:  4461 7465 3a20 5468 752c 2032 3120 4f63
> Date:.Thu,.21.Oc
>        0x0050:  7420 3230 3130 2032 303a 3036 3a32 3620
> t.2010.20:06:26.
>        0x0060:  474d 540d 0a53 6572 7665 723a 2041 7061
> GMT..Server:.Apa
>        0x0070:  6368 650d 0a4b 6565 702d 416c 6976 653a
> che..Keep-Alive:
>        0x0080:  2074 696d 656f 7574 3d31 352c 206d 6178
> .timeout=15,.max
>        0x0090:  3d34 380d 0a43 6f6e 6e65 6374 696f 6e3a
> =48..Connection:
>        0x00a0:  204b 6565 702d 416c 6976 650d 0a54 7261
> .Keep-Alive..Tra
>        0x00b0:  6e73 6665 722d 456e 636f 6469 6e67 3a20
> nsfer-Encoding:.
>        0x00c0:  6368 756e 6b65 640d 0a43 6f6e 7465 6e74
> chunked..Content
>        0x00d0:  2d54 7970 653a 2074 6578 742f 6874 6d6c
> -Type:.text/html
>        0x00e0:  3b20 6368 6172 7365 743d 7574 662d 380d
> ;.charset=utf-8.
>        0x00f0:  0a0d 0a31 3720 0d0a 3c68 313e 3430 3420
> ...17...<h1>404.
>        0x0100:  4e6f 7420 466f 756e 6421 3c2f 6831 3e0d
> Not.Found!</h1>.
>        0x0110:  0a                                       .
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list