Network Security: Detailed info on RE: [Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Si

Subject:	RE: [Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Sig ID,3549
Date:	Fri, 10 Feb 2006 09:43:05 -0500

I get hits when navigating http://www.ubuntulinux.org and http://www.gentoo-wiki.com.

Is the pcre getting greedy with \w+


Shirkdog
http://www.shirkdog.us

From: Russell Fulton <r.fulton@auckland.ac.nz> To: snort-sigs@lists.sourceforge.net Subject: [Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Sig ID,3549 Date: Thu, 09 Feb 2006 09:31:27 +1300

I'm seeing several 1000 hits a day on this rule from all over the globe.

If you need more info I'm happy to supply it.

Russell

META
--------
SID     CID     TimeStamp               Signature
6       377134  2006-02-08 14:21:48     WEB-CLIENT HTML DOM invalid element
creation attempt
Sig ID
3549

Sensor Hostname                         Sensor Interface
hihi.insec.auckland.ac.nz       new dmz sensor

IP
--------
Source Address  Dest Address    Ver     Hdr Len
128.100.131.33  130.216.191.183 4       5
TOS     length  ID      flags   offset  TTL     chksum
0       576     26567   0       0       108     40667

Resolved Source
amscmsweb.wisst.utoronto.ca

Resolved Dest
gate1.ec.auckland.ac.nz

TCP
--------
Source Port     Dest Port       Seq             Ack
80              39895           1152954908      1768103730
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
8       0               16      17520   30122           0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X

DATA
--------
6173735F6E616D652920    ass_name)
7B0D0A09656C656D656E    {...elemen
742E636C6173734E616D    t.classNam
65203D20636C6173735F    e = class_
6E616D653B0D0A7D0D0A    name;..}..
66756E6374696F6E2043    function C
68616E67655F456C656D    hange_Elem
656E745F49442028656C    ent_ID (el
656D656E742C49445F6E    ement,ID_n
616D6529207B0D0A0965    ame) {...e
6C656D656E742E696420    lement.id
3D2049445F6E616D653B    = ID_name;
0D0A7D0D0A0D0A66756E    ..}....fun
6374696F6E2053686F77    ction Show
4C6179657231286E616D    Layer1(nam
652C69645F6E2C206263    e,id_n, bc
6F6C6F7229207B0D0A09    olor) {...
69662028646F63756D65    if (docume
6E742E63726561746545    nt.createE
6C656D656E74297B0D0A    lement){..
090968656C7064697220    ..helpdir
3D20646F63756D656E74    = document
2E676574456C656D656E    .getElemen
7442794964286E616D65    tById(name
293B0D0A090968656C70    );....help
6469722E7374796C652E    dir.style.
6261636B67726F756E64    background
436F6C6F72203D206263    Color = bc
6F6C6F723B0D0A09096D    olor;....m
797461626C653D646F63    ytable=doc
756D656E742E63726561    ument.crea
7465456C656D656E7428    teElement(
225441424C4522293B0D    "TABLE");.
0A0909746162626F6479    ...tabbody
3D646F63756D656E742E    =document.
637265617465456C656D    createElem
656E74282254424F4459    ent("TBODY
22293B0D0A0909726F77    ");....row
3D646F63756D656E742E    =document.
637265617465456C656D    createElem
656E742822545222293B    ent("TR");
0D0A090963656C6C3D64    ....cell=d
6F63756D656E742E6372    ocument.cr
65617465456C656D656E    eateElemen
742822544422293B0D0A    t("TD");..
0909746578744E6F6465    ..textNode
3D646F63756D656E742E    =document.
63726561746554657874    createText
4E6F64652869645F6E29    Node(id_n)
3B0D0A090963656C6C2E    ;....cell.
617070656E644368696C    appendChil
6428746578744E6F6465    d(textNode
293B0D0A        );..

DATA
--------
ass_name) {...element.className = class_name;..}..function C
hange_Element_ID (element,ID_name) {...element.id = ID_name;
..}....function ShowLayer1(name,id_n, bcolor) {...if (docume
nt.createElement){....helpdir = document.getElementById(name
);....helpdir.style.backgroundColor = bcolor;....mytable=doc
ument.createElement("TABLE");....tabbody=document.createElem
ent("TBODY");....row=document.createElement("TR");....cell=d
ocument.createElement("TD");....textNode=document.createText
Node(id_n);....cell.appendChild(textNode);..

------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement

-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Sig ID,3549, Russell Fulton RE: [Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Sig ID,3549, M. Shirk <=

Previous by Date:	[Snort-sigs] FPs: MS-SQL probe response overflow attempt,Sig ID,2329, Russell Fulton
Next by Date:	[Snort-sigs] Paul Clements is out of the office., Paul . Clements
Previous by Thread:	[Snort-sigs] WEB-CLIENT HTML DOM invalid element creation attempt,Sig ID,3549, Russell Fulton
Next by Thread:	[Snort-sigs] Re: [Snort-users] snort-mysql will not start, CasperLinux
Indexes:	[Date] [Thread] [Top] [All Lists]