Re: FPs Sig 5432 Script in HTTP header

jkell · ‎09-21-2006

This signature appears to be looking for script markers in the header, but is firing on just the presence of 'script' which is not a problem. Example:

000000 47 45 54 20 2F 42 75 72 73 74 69 6E 67 53 63 72 GET /BurstingScr

000010 69 70 74 2F 61 64 64 69 6E 65 79 65 2E 6A 73 20 ipt/addineye.js

000020 48 54 54 50 2F 31 2E 31 0D HTTP/1.1.

wsulym · ‎09-21-2006

It actually fires on in the header. There's probably more to the alert context tat what you have pasted there. If you enable "Produce Verbose Alert" as an action for that sig, you will see the trigger packet in the alert, and that should contain the "script ... /script"

jkell · ‎09-21-2006

OK, changed and re-baited the hook. Awaiting the next fish...

jkell · ‎09-21-2006

Got one: the script is in the Referer: tag (sort of).

wsulym · ‎09-22-2006

Well, doesn't look malicious at all. Not that I was having all sorts of luck finding out much about it, but from what I could find, looks like a click thru banner ad. Just looks like its feeding some benign information into the javascript banner generator.

I will update the benign triggers section of the signasture accordingly.

jkell · ‎09-22-2006

Isn't the signature designed to basically just look at the URI content? Can you adjust the regexp to locate script tags before the terminator?

wsulym · ‎09-23-2006

No, 5432-0 is looking for script tags anywhere in the entire header. You may be thinking of the other XSS sigs. 5232-x sigs look for script in the uri and arguments only.