alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:10; content:"CURSOR\:"; nocase; within:12; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:3;)

Added 2007-04-27 09:30:25 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:5; content:"CURSOR\:"; nocase; within:5; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:2;)

Added 2007-04-18 14:30:18 UTC

Juat removed the stray \ from the reference. No rule change.

-- MattJonkman - 18 Apr 2007


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Likely ANI Exploit Include from Webpage"; flow:established,from_server; content:"<DIV"; nocase; content:"style"; nocase; within:5; content:"CURSOR\:"; nocase; within:5; pcre:"/<DIV\s+style=\"CURSOR\:\s*url\(\s*http\:\/\/[a-zA-Z0-9\.\/]+\s*\)\s*\">\s*<\s*\/\s*DIV\s*>/ism"; classtype:misc-attack; reference:url,/isc.sans.org/diary.html?storyid=2648; sid:2003596; rev:1;)

Added 2007-04-18 14:07:04 UTC

http://isc.sans.org/diary.html?storyid=2648

Roger Chiu of Malware-Test Lab submitted a .ani file observed in the wild that was not detected as malicious by any popular antivirus tools. As with many other ANI attacks, this was presented as a CURSOR object in a DIV element on a compromised web site:


Russ points out we should be able to sig this. Defining a div for ONLY defining a cursor is pointless in real life. So this shouldn't false (much):

#by Matt Jonkman, from ISC post, idea from Russ McRee?

Please give it a try and let me know about falses.

Matt

-- MattJonkman - 18 Apr 2007

Also see MSRpcDns?

-- MattJonkman - 18 Apr 2007


Topic revision: r2 - 2007-04-18 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats