[Emerging-Sigs] ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)

Will Metcalf william.metcalf at gmail.com
Fri Oct 22 14:23:09 EDT 2010


This is completely contradictory to what is in the snort users manual,
so I wouldn't say usage isn't "neat" I would say it's usage is very
clearly defined and apparently not adhered to. Joel?

Regards,

Will

"3.5.24 file data
This option is used to place the cursor (used to walk the packet
payload in rules processing) at the beginning of either
the entity body of a HTTP response or the SMTP body data. For this
option to work with HTTP response, certain
HTTP Inspect options such as extended response inspection and inspect
gzip (for decompressed gzip data)
needs to be turned on. See 2.2.6 for more details.
When used with argument mime it places the cursor at the beginning of
the base64 decoded MIME attachment or
base64 decoded MIME body. This is dependent on the SMTP config option
enable mime decoding. See 2.2.7 for
more details.
Format
file_data;
file_data:mime;
This option matches if there is HTTP response body or SMTP body or
SMTP MIME base64 decoded data. This
option will operate similarly to the dce stub data option added with
DCE/RPC2, in that it simply sets a reference
for other relative rule options ( byte test, byte jump, pcre) to use.
This file data can point to either a file or a block
of data.
! NOTE
Multiple base64 encoded attachments in one packet are pipelined.

Example
alert tcp any 80 -> any any(msg:"foo at the start of http response body"; \
file_data; content:"foo"; nocase; within:3;)
alert tcp any any -> any any(msg:"MIME BASE64 Encoded Data";\
file_data:mime; content:"foo"; within:10;)
"

On Fri, Oct 22, 2010 at 1:04 PM, Pedro Marinho <pppmarinho at gmail.com> wrote:
> Will,
>
> i tested this and does work..
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> (flow:established,to_client; file_data; content:"%PDF-"; depth:5;
> classtype:bad-unknown;)
>
> i guess is possible to use depth with file_data. now i am confused.. the
> snort manual is not neat about it's usage..
>
>
> Message: 1
> Date: Thu, 21 Oct 2010 22:20:51 -0500
> From: Will Metcalf <william.metcalf at gmail.com>
> Subject: Re: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP
>        404 XSS Attempt (External Source)
> To: "Lay, James" <james.lay at wincofoods.com>
> Cc: "emerging-sigs at emergingthreats.net"
>        <Emerging-sigs at emergingthreats.net>
> Message-ID:
>        <AANLkTinosDDspQtDjm4yPVD5RL5BEA8z0T4LgY+jf0Ay at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> And perhaps there is a bug in file_data ;-)....  Anyway I'm disabling
> this sig by default.
>
> Regards,
>
> Will
>
> On Thu, Oct 21, 2010 at 5:06 PM, Will Metcalf <william.metcalf at gmail.com>
> wrote:
>> Hmmm if somebody can send a ?pcap off list that would be awesome. ?I
>> have tweaked the sig a bit as I believe the original intent was to
>> identify xss in 4xx 5xx response bodies and the conversion was borked
>> as file_data moves the inspection pointer similar to dce_stub_data so
>> the depth check is from the beginning of the payload not from the
>> start of file_data.
>>
>> Regards,
>>
>> Will
>>
>> On Thu, Oct 21, 2010 at 4:33 PM, Lay, James <james.lay at wincofoods.com>
>> wrote:
>>>
>>>
>>> -----Original Message-----
>>> From: emerging-sigs-bounces at emergingthreats.net
>>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Eoin
>>> Miller
>>> Sent: Thursday, October 21, 2010 3:20 PM
>>> To: emerging-sigs at emergingthreats.net
>>> Subject: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404
>>> XSS Attempt (External Source)
>>>
>>> I am not sure if I understand the point of this signature:
>>>
>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
>>> Possible HTTP 404 XSS Attempt (External Source)";
>>> flow:from_server,established; content:"404"; http_stat_code;
>>> content:"Not Found"; nocase; http_stat_msg; file_data;
>>> content:"<script"; nocase; depth:280; classtype:web-application-
>>
>> attack;
>> >> reference:url,doc.emergingthreats.net/2010518;
>> >>
>> >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT
>> >> /WEB_Error_XSS;
>> >> sid:2010518; rev:5;)
>> >>
>> >>
>> >> I'm in the same boat...hit and packet dump enclosed:
>> >>
>> >> 10/21-14:06:21.176785 ?[**] [1:2010518:5] ET WEB_CLIENT Possible HTTP
>> >> 404 XSS Attempt (External Source) [**] [Classification: Web Application
>> >> Attack] [Priority: 1] {TCP} 97.74.57.246:80 -> 66.193.105.132:28018
>> >>
>> >> 14:06:21.176785 IP 97.74.57.246.80 > 66.193.105.132.28018: Flags [P.],
>> >> ack 4289524988, win 63784, length 233
>> >> ? ? ? ?0x0000: ?4500 0111 5036 4000 3906 a92b 614a 39f6
>> >> E...P6 at .9..+aJ9.
>> >> ? ? ? ?0x0010: ?42c1 6984 0050 6d72 3248 898d ffac f4fc
>> >> B.i..Pmr2H......
>> >> ? ? ? ?0x0020: ?5018 f928 bdcb 0000 4854 5450 2f31 2e31
>> >> P..(....HTTP/1.1
>> >> ? ? ? ?0x0030: ?2034 3034 204e 6f74 2046 6f75 6e64 0d0a
>> >> .404.Not.Found..
>> >> ? ? ? ?0x0040: ?4461 7465 3a20 5468 752c 2032 3120 4f63
>> >> Date:.Thu,.21.Oc
>> >> ? ? ? ?0x0050: ?7420 3230 3130 2032 303a 3036 3a32 3620
>> >> t.2010.20:06:26.
>> >> ? ? ? ?0x0060: ?474d 540d 0a53 6572 7665 723a 2041 7061
>> >> GMT..Server:.Apa
>> >> ? ? ? ?0x0070: ?6368 650d 0a4b 6565 702d 416c 6976 653a
>> >> che..Keep-Alive:
>> >> ? ? ? ?0x0080: ?2074 696d 656f 7574 3d31 352c 206d 6178
>> >> .timeout=15,.max
>> >> ? ? ? ?0x0090: ?3d34 380d 0a43 6f6e 6e65 6374 696f 6e3a
>> >> =48..Connection:
>> >> ? ? ? ?0x00a0: ?204b 6565 702d 416c 6976 650d 0a54 7261
>> >> .Keep-Alive..Tra
>> >> ? ? ? ?0x00b0: ?6e73 6665 722d 456e 636f 6469 6e67 3a20
>> >> nsfer-Encoding:.
>> >> ? ? ? ?0x00c0: ?6368 756e 6b65 640d 0a43 6f6e 7465 6e74
>> >> chunked..Content
>> >> ? ? ? ?0x00d0: ?2d54 7970 653a 2074 6578 742f 6874 6d6c
>> >> -Type:.text/html
>> >> ? ? ? ?0x00e0: ?3b20 6368 6172 7365 743d 7574 662d 380d
>> >> ;.charset=utf-8.
>> >> ? ? ? ?0x00f0: ?0a0d 0a31 3720 0d0a 3c68 313e 3430 3420
>> >> ...17...<h1>404.
>> >> ? ? ? ?0x0100: ?4e6f 7420 466f 756e 6421 3c2f 6831 3e0d
>> >> Not.Found!</h1>.
>> >> ? ? ? ?0x0110: ?0a ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>> >> Lanyards
>> >>
>> >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> >>
>> >
>>
>>
>
>


More information about the Emerging-sigs mailing list