alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:10; content:"CURSOR\:"; nocase; within:12; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:3;) Added 2007-04-27 09:30:25 UTC
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:5; content:"CURSOR\:"; nocase; within:5; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:2;) Added 2007-04-18 14:30:18 UTC Juat removed the stray \ from the reference. No rule change. -- MattJonkman - 18 Apr 2007
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:5; content:"CURSOR\:"; nocase; within:5; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,/isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:1;) Added 2007-04-18 14:07:04 UTC http://isc.sans.org/diary.html?storyid=2648 Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:
Russ points out we should be able to sig this. Defining a div for ONLY defining a cursor is pointless in real life. So this shouldn't false (much): #by Matt Jonkman, from ISC post, idea from Russ McRee? Please give it a try and let me know about falses. Matt -- MattJonkman - 18 Apr 2007 Also see MSRpcDns? -- MattJonkman - 18 Apr 2007
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actionsTopic revision: r2 - 2007-04-18 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats