[Emerging-Sigs] Iframe in Purported Image Download - Tons of Alerts

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 27 10:54:36 EDT 2010


Ya, this sig needs to be moved to a permanent ruleset or retired, it is old. 

I'm leaning toward pushing it to the deleted file. I think that method of injection has passed, no?

Any objections to retiring it? Disabling for now.

Matt

On Oct 25, 2010, at 3:32 PM, Eoin Miller wrote:

> These sigs are firing TONS of times:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET 
> CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL 
> Injection Attacks Related"; flow:established,from_server; 
> content:"content-type|3a| "; nocase; http_header; content:" image/gif"; 
> nocase; http_header; file_data; content:"<iframe"; nocase; 
> pcre:"/content-type\:\s+image\/gif/im"; 
> pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; 
> classtype:web-application-attack; 
> reference:url,doc.emergingthreats.net/bin/view/Main/2008314; 
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; 
> sid:2008314; rev:5;)
> 
> Kind of wondering why 2008 rules are still showing up as CURRENT_EVENTS 
> and what was done to them so they are firing so much now? Anyone else 
> noticing this behavior? The packets themselves are not containing the 
> iframe with the gif, but if the same TCP stream has iframe and gif in 
> it, then this is triggering. I have some PCAP's I can send in to the ET 
> guys to try and help out. I am really scratching my head as to why these 
> rules are doing this right now... This is doing this for the gif, png 
> and jpg rules.
> 
> -- Eoin
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list