[Emerging-Sigs] ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)

Joel Esler jesler at sourcefire.com
Fri Oct 22 16:28:06 EDT 2010


I am not sure.  You did the right thing by writing snort-devel.

J

On Oct 22, 2010, at 2:23 PM, Will Metcalf wrote:

> This is completely contradictory to what is in the snort users manual,
> so I wouldn't say usage isn't "neat" I would say it's usage is very
> clearly defined and apparently not adhered to. Joel?
> 
> Regards,
> 
> Will
> 
> "3.5.24 file data
> This option is used to place the cursor (used to walk the packet
> payload in rules processing) at the beginning of either
> the entity body of a HTTP response or the SMTP body data. For this
> option to work with HTTP response, certain
> HTTP Inspect options such as extended response inspection and inspect
> gzip (for decompressed gzip data)
> needs to be turned on. See 2.2.6 for more details.
> When used with argument mime it places the cursor at the beginning of
> the base64 decoded MIME attachment or
> base64 decoded MIME body. This is dependent on the SMTP config option
> enable mime decoding. See 2.2.7 for
> more details.
> Format
> file_data;
> file_data:mime;
> This option matches if there is HTTP response body or SMTP body or
> SMTP MIME base64 decoded data. This
> option will operate similarly to the dce stub data option added with
> DCE/RPC2, in that it simply sets a reference
> for other relative rule options ( byte test, byte jump, pcre) to use.
> This file data can point to either a file or a block
> of data.
> ! NOTE
> Multiple base64 encoded attachments in one packet are pipelined.
> 
> Example
> alert tcp any 80 -> any any(msg:"foo at the start of http response body"; \
> file_data; content:"foo"; nocase; within:3;)
> alert tcp any any -> any any(msg:"MIME BASE64 Encoded Data";\
> file_data:mime; content:"foo"; within:10;)
> "
> 
> On Fri, Oct 22, 2010 at 1:04 PM, Pedro Marinho <pppmarinho at gmail.com> wrote:
>> Will,
>> 
>> i tested this and does work..
>> 
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (flow:established,to_client; file_data; content:"%PDF-"; depth:5;
>> classtype:bad-unknown;)
>> 
>> i guess is possible to use depth with file_data. now i am confused.. the
>> snort manual is not neat about it's usage..
>> 
>> 
>> Message: 1
>> Date: Thu, 21 Oct 2010 22:20:51 -0500
>> From: Will Metcalf <william.metcalf at gmail.com>
>> Subject: Re: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP
>>        404 XSS Attempt (External Source)
>> To: "Lay, James" <james.lay at wincofoods.com>
>> Cc: "emerging-sigs at emergingthreats.net"
>>        <Emerging-sigs at emergingthreats.net>
>> Message-ID:
>>        <AANLkTinosDDspQtDjm4yPVD5RL5BEA8z0T4LgY+jf0Ay at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>> 
>> And perhaps there is a bug in file_data ;-)....  Anyway I'm disabling
>> this sig by default.
>> 
>> Regards,
>> 
>> Will
>> 
>> On Thu, Oct 21, 2010 at 5:06 PM, Will Metcalf <william.metcalf at gmail.com>
>> wrote:
>>> Hmmm if somebody can send a ?pcap off list that would be awesome. ?I
>>> have tweaked the sig a bit as I believe the original intent was to
>>> identify xss in 4xx 5xx response bodies and the conversion was borked
>>> as file_data moves the inspection pointer similar to dce_stub_data so
>>> the depth check is from the beginning of the payload not from the
>>> start of file_data.
>>> 
>>> Regards,
>>> 
>>> Will
>>> 
>>> On Thu, Oct 21, 2010 at 4:33 PM, Lay, James <james.lay at wincofoods.com>
>>> wrote:
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: emerging-sigs-bounces at emergingthreats.net
>>>> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Eoin
>>>> Miller
>>>> Sent: Thursday, October 21, 2010 3:20 PM
>>>> To: emerging-sigs at emergingthreats.net
>>>> Subject: [Emerging-Sigs] sid:2010518 - ET WEB_CLIENT Possible HTTP 404
>>>> XSS Attempt (External Source)
>>>> 
>>>> I am not sure if I understand the point of this signature:
>>>> 
>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
>>>> Possible HTTP 404 XSS Attempt (External Source)";
>>>> flow:from_server,established; content:"404"; http_stat_code;
>>>> content:"Not Found"; nocase; http_stat_msg; file_data;
>>>> content:"<script"; nocase; depth:280; classtype:web-application-
>>> 
>>> attack;
>>>>> reference:url,doc.emergingthreats.net/2010518;
>>>>> 
>>>>> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_CLIENT
>>>>> /WEB_Error_XSS;
>>>>> sid:2010518; rev:5;)
>>>>> 
>>>>> 
>>>>> I'm in the same boat...hit and packet dump enclosed:
>>>>> 
>>>>> 10/21-14:06:21.176785 ?[**] [1:2010518:5] ET WEB_CLIENT Possible HTTP
>>>>> 404 XSS Attempt (External Source) [**] [Classification: Web Application
>>>>> Attack] [Priority: 1] {TCP} 97.74.57.246:80 -> 66.193.105.132:28018
>>>>> 
>>>>> 14:06:21.176785 IP 97.74.57.246.80 > 66.193.105.132.28018: Flags [P.],
>>>>> ack 4289524988, win 63784, length 233
>>>>> ? ? ? ?0x0000: ?4500 0111 5036 4000 3906 a92b 614a 39f6
>>>>> E...P6 at .9..+aJ9.
>>>>> ? ? ? ?0x0010: ?42c1 6984 0050 6d72 3248 898d ffac f4fc
>>>>> B.i..Pmr2H......
>>>>> ? ? ? ?0x0020: ?5018 f928 bdcb 0000 4854 5450 2f31 2e31
>>>>> P..(....HTTP/1.1
>>>>> ? ? ? ?0x0030: ?2034 3034 204e 6f74 2046 6f75 6e64 0d0a
>>>>> .404.Not.Found..
>>>>> ? ? ? ?0x0040: ?4461 7465 3a20 5468 752c 2032 3120 4f63
>>>>> Date:.Thu,.21.Oc
>>>>> ? ? ? ?0x0050: ?7420 3230 3130 2032 303a 3036 3a32 3620
>>>>> t.2010.20:06:26.
>>>>> ? ? ? ?0x0060: ?474d 540d 0a53 6572 7665 723a 2041 7061
>>>>> GMT..Server:.Apa
>>>>> ? ? ? ?0x0070: ?6368 650d 0a4b 6565 702d 416c 6976 653a
>>>>> che..Keep-Alive:
>>>>> ? ? ? ?0x0080: ?2074 696d 656f 7574 3d31 352c 206d 6178
>>>>> .timeout=15,.max
>>>>> ? ? ? ?0x0090: ?3d34 380d 0a43 6f6e 6e65 6374 696f 6e3a
>>>>> =48..Connection:
>>>>> ? ? ? ?0x00a0: ?204b 6565 702d 416c 6976 650d 0a54 7261
>>>>> .Keep-Alive..Tra
>>>>> ? ? ? ?0x00b0: ?6e73 6665 722d 456e 636f 6469 6e67 3a20
>>>>> nsfer-Encoding:.
>>>>> ? ? ? ?0x00c0: ?6368 756e 6b65 640d 0a43 6f6e 7465 6e74
>>>>> chunked..Content
>>>>> ? ? ? ?0x00d0: ?2d54 7970 653a 2074 6578 742f 6874 6d6c
>>>>> -Type:.text/html
>>>>> ? ? ? ?0x00e0: ?3b20 6368 6172 7365 743d 7574 662d 380d
>>>>> ;.charset=utf-8.
>>>>> ? ? ? ?0x00f0: ?0a0d 0a31 3720 0d0a 3c68 313e 3430 3420
>>>>> ...17...<h1>404.
>>>>> ? ? ? ?0x0100: ?4e6f 7420 466f 756e 6421 3c2f 6831 3e0d
>>>>> Not.Found!</h1>.
>>>>> ? ? ? ?0x0110: ?0a ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? .
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Emerging-sigs mailing list
>>>>> Emerging-sigs at emergingthreats.net
>>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>> 
>>>>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>>>>> Lanyards
>>>>> 
>>>>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>>>> 
>>>> 
>>> 
>>> 
>> 
>> 

--
Joel Esler
302-223-5974



More information about the Emerging-sigs mailing list