|
|
Adobe Sigs: msg#00100security.ids.snort.bleedingsnort
I've disabled the below 2 sigs. Karmabender makes the very correct observation that the parameters to the url that are executing the xss will not be sent by the browser. Only yhe request for the pdf, the parameters are a local thing only. But the sig to catch a hostile url inbound is relatively useful. #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter Javascript Client Req uest"; flow:established,to_server; uricontent:".pdf#"; nocase; pcre:"/.pdf#(.+=)javascript\:/iU"; nocase; classtype:attempted-admin; reference:url,secunia.com/advisories/23483/; sid:2003247; rev:3;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Exploit Adobe Acrobat Open Parameter URL Client Request"; flow:established,to_server; uricontent:"#"; uricontent:"\://"; pcre:"/\#(?=(.[^\/]+(\=)))/iU"; nocase; classtype:attempted-admin; si d:2003249; rev:4;) -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Rule Load Formula: 00100, Alex Kirk |
|---|---|
| Next by Date: | Re: Rule Load Formula: 00100, Martin Holste |
| Previous by Thread: | WMF Exploit Sigi: 00100, Matt Jonkman |
| Next by Thread: | Allaplw Trojan Sig: 00100, Matt Jonkman |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |