[Emerging-Sigs] ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)

Will Metcalf william.metcalf at gmail.com
Fri Oct 22 14:59:49 EDT 2010


And as a clarification depth fails for me relative to file_data in
2.9.0 as well. Anybody from SF able to verify this yet?  If for no
other reason than for your VRT subscribers?

#VRT rule directory
grep "file_data" *|wc -l
86

Regards,

Will

On Fri, Oct 22, 2010 at 1:23 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
> This is completely contradictory to what is in the snort users manual,
> so I wouldn't say usage isn't "neat" I would say it's usage is very
> clearly defined and apparently not adhered to. Joel?
>
> Regards,
>
> Will
>
> "3.5.24 file data
> This option is used to place the cursor (used to walk the packet
> payload in rules processing) at the beginning of either
> the entity body of a HTTP response or the SMTP body data. For this
> option to work with HTTP response, certain
> HTTP Inspect options such as extended response inspection and inspect
> gzip (for decompressed gzip data)
> needs to be turned on. See 2.2.6 for more details.
> When used with argument mime it places the cursor at the beginning of
> the base64 decoded MIME attachment or
> base64 decoded MIME body. This is dependent on the SMTP config option
> enable mime decoding. See 2.2.7 for
> more details.
> Format
> file_data;
> file_data:mime;
> This option matches if there is HTTP response body or SMTP body or
> SMTP MIME base64 decoded data. This
> option will operate similarly to the dce stub data option added with
> DCE/RPC2, in that it simply sets a reference
> for other relative rule options ( byte test, byte jump, pcre) to use.
> This file data can point to either a file or a block
> of data.
> ! NOTE
> Multiple base64 encoded attachments in one packet are pipelined.
>
> Example
> alert tcp any 80 -> any any(msg:"foo at the start of http response body"; \
> file_data; content:"foo"; nocase; within:3;)
> alert tcp any any -> any any(msg:"MIME BASE64 Encoded Data";\
> file_data:mime; content:"foo"; within:10;)
> "
>
> On Fri, Oct 22, 2010 at 1:04 PM, Pedro Marinho <pppmarinho at gmail.com> wrote:
>> Will,
>>
>> i tested this and does work..
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (flow:established,to_client; file_data; content:"%PDF-"; depth:5;
>> classtype:bad-unknown;)
>>
>> i guess is possible to use depth with file_data. now i am confused.. the
>> snort manual is not neat about it's usage..
>>
>>
>> Message: 1
>> Date: Thu, 21 Oct 2010 22:20:51 -0500
>> From: Will Metcalf <william.metcalf at gmail.com>
>> Subject: Re: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP
>>        404 XSS Attempt (External Source)
>> To: "Lay, James" <james.lay at wincofoods.com>
>> Cc: "emerging-sigs at emergingthreats.net"
>>        <Emerging-sigs at emergingthreats.net>
>> Message-ID:
>>        <AANLkTinosDDspQtDjm4yPVD5RL5BEA8z0T4LgY+jf0Ay at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> And perhaps there is a bug in file_data ;-)....  Anyway I'm disabling
>> this sig by default.
>>
>> Regards,
>>
>> Will
>>
>> On Thu, Oct 21, 2010 at 5:06 PM, Will Metcalf <william.metcalf at gmail.com>
>> wrote:
>>> Hmmm if somebody can send a ?pcap off list that would be awesome. ?I
>>> have tweaked the sig a bit as I believe the original intent was to
>>> identify xss in 4xx 5xx response bodies and the conversion was borked
>>> as file_data moves the inspection pointer similar to dce_stub_data so
>>> the depth check is from the beginning of the payload not from the
>>> start of file_data.
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Thu, Oct 21, 2010 at 4:33 PM, Lay, James <james.lay at wincofoods.com>
>>> wrote:
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: emerging-sigs-bounces at emergingthreats.net
>>>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Eoin
>>>> Miller
>>>> Sent: Thursday, October 21, 2010 3:20 PM
>>>> To: emerging-sigs at emergingthreats.net
>>>> Subject: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404
>>>> XSS Attempt (External Source)
>>>>
>>>> I am not sure if I understand the point of this signature:
>>>>
>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
>>>> Possible HTTP 404 XSS Attempt (External Source)";
>>>> flow:from_server,established; content:"404"; http_stat_code;
>>>> content:"Not Found"; nocase; http_stat_msg; file_data;
>>>> content:"<script"; nocase; depth:280; classtype:web-application-
>>>
>>> attack;
>>> >> reference:url,doc.emergingthreats.net/2010518;
>>> >>
>>> >> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT
>>> >> /WEB_Error_XSS;
>>> >> sid:2010518; rev:5;)
>>> >>
>>> >>
>>> >> I'm in the same boat...hit and packet dump enclosed:
>>> >>
>>> >> 10/21-14:06:21.176785 ?[**] [1:2010518:5] ET WEB_CLIENT Possible HTTP
>>> >> 404 XSS Attempt (External Source) [**] [Classification: Web Application
>>> >> Attack] [Priority: 1] {TCP} 97.74.57.246:80 -> 66.193.105.132:28018
>>> >>
>>> >> 14:06:21.176785 IP 97.74.57.246.80 > 66.193.105.132.28018: Flags [P.],
>>> >> ack 4289524988, win 63784, length 233
>>> >> ? ? ? ?0x0000: ?4500 0111 5036 4000 3906 a92b 614a 39f6
>>> >> E...P6 at .9..+aJ9.
>>> >> ? ? ? ?0x0010: ?42c1 6984 0050 6d72 3248 898d ffac f4fc
>>> >> B.i..Pmr2H......
>>> >> ? ? ? ?0x0020: ?5018 f928 bdcb 0000 4854 5450 2f31 2e31
>>> >> P..(....HTTP/1.1
>>> >> ? ? ? ?0x0030: ?2034 3034 204e 6f74 2046 6f75 6e64 0d0a
>>> >> .404.Not.Found..
>>> >> ? ? ? ?0x0040: ?4461 7465 3a20 5468 752c 2032 3120 4f63
>>> >> Date:.Thu,.21.Oc
>>> >> ? ? ? ?0x0050: ?7420 3230 3130 2032 303a 3036 3a32 3620
>>> >> t.2010.20:06:26.
>>> >> ? ? ? ?0x0060: ?474d 540d 0a53 6572 7665 723a 2041 7061
>>> >> GMT..Server:.Apa
>>> >> ? ? ? ?0x0070: ?6368 650d 0a4b 6565 702d 416c 6976 653a
>>> >> che..Keep-Alive:
>>> >> ? ? ? ?0x0080: ?2074 696d 656f 7574 3d31 352c 206d 6178
>>> >> .timeout=15,.max
>>> >> ? ? ? ?0x0090: ?3d34 380d 0a43 6f6e 6e65 6374 696f 6e3a
>>> >> =48..Connection:
>>> >> ? ? ? ?0x00a0: ?204b 6565 702d 416c 6976 650d 0a54 7261
>>> >> .Keep-Alive..Tra
>>> >> ? ? ? ?0x00b0: ?6e73 6665 722d 456e 636f 6469 6e67 3a20
>>> >> nsfer-Encoding:.
>>> >> ? ? ? ?0x00c0: ?6368 756e 6b65 640d 0a43 6f6e 7465 6e74
>>> >> chunked..Content
>>> >> ? ? ? ?0x00d0: ?2d54 7970 653a 2074 6578 742f 6874 6d6c
>>> >> -Type:.text/html
>>> >> ? ? ? ?0x00e0: ?3b20 6368 6172 7365 743d 7574 662d 380d
>>> >> ;.charset=utf-8.
>>> >> ? ? ? ?0x00f0: ?0a0d 0a31 3720 0d0a 3c68 313e 3430 3420
>>> >> ...17...<h1>404.
>>> >> ? ? ? ?0x0100: ?4e6f 7420 466f 756e 6421 3c2f 6831 3e0d
>>> >> Not.Found!</h1>.
>>> >> ? ? ? ?0x0110: ?0a ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Emerging-sigs mailing list
>>> >> Emerging-sigs at emergingthreats.net
>>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> >>
>>> >> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>>> >> Lanyards
>>> >>
>>> >> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>> >>
>>> >
>>>
>>>
>>
>>
>


More information about the Emerging-sigs mailing list