alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:10; content:"CURSOR\:"; nocase; within:12; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:3;)
Added 2007-04-27 09:30:25 UTC
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:5; content:"CURSOR\:"; nocase; within:5; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:2;)
Added 2007-04-18 14:30:18 UTC
Juat removed the stray \ from the reference. No rule change.
--
MattJonkman - 18 Apr 2007
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:5; content:"CURSOR\:"; nocase; within:5; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,/isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:1;)
Added 2007-04-18 14:07:04 UTC
http://isc.sans.org/diary.html?storyid=2648
Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:
Russ points out we should be able to sig this. Defining a div for ONLY defining a cursor is pointless in real life. So this shouldn't false (much):
#by Matt Jonkman, from ISC post, idea from Russ
McRee?
Please give it a try and let me know about falses.
Matt
--
MattJonkman - 18 Apr 2007
Also see
MSRpcDns?
--
MattJonkman - 18 Apr 2007