List Info

Thread: Firefox Handler sigs
Firefox Handler sigs
country flaguser name
United States		 2007-07-27 00:34:28 
By Scott Melnick, self-explanatory.

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BLEEDING-EDGE
CURRENT_EVENTS FireFox Remote Command EXE Mailto Link
Detected"; flow:
from_server,established; content:"mailto:%";
nocase; content: "/../../";
within:30; nocase; pcre:"/(.exe|.bat|.com)/i";
reference:url,xs-sniper.com/blog/remote-command-exec-firefox
-2005/;
classtype:web-application-attack; sid:2006436; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BLEEDING-EDGE
CURRENT_EVENTS FireFox Remote Command EXE News Link
Detected"; flow:
from_server,established; content:"news:%"; nocase;
content: "/../../";
within:30; nocase; pcre:"/(.exe|.bat|.com)/i";
reference:url,xs-sniper.com/blog/remote-command-exec-firefox
-2005/;
classtype:web-application-attack; sid:2006437; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BLEEDING-EDGE
CURRENT_EVENTS FireFox Remote Command EXE Nntp Link
Detected"; flow:
from_server,established; content:"nntp:%"; nocase;
content: "/../../";
within:30; nocase; pcre:"/(.exe|.bat|.com)/i";
reference:url,xs-sniper.com/blog/remote-command-exec-firefox
-2005/;
classtype:web-application-attack; sid:2006438; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BLEEDING-EDGE
CURRENT_EVENTS FireFox Remote Command EXE Snews Link
Detected"; flow:
from_server,established; content:"snews:%";
nocase; content: "/../../";
within:30; nocase; pcre:"/(.exe|.bat|.com)/i";
reference:url,xs-sniper.com/blog/remote-command-exec-firefox
-2005/;
classtype:web-application-attack; sid:2006439; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BLEEDING-EDGE
CURRENT_EVENTS FireFox Remote Command EXE Telnet Link
Detected"; flow:
from_server,established; content:"telnet:%";
nocase; content: "/../../";
within:30; nocase; pcre:"/(.exe|.bat|.com)/i";
reference:url,xs-sniper.com/blog/remote-command-exec-firefox
-2005/;
classtype:web-application-attack; sid:2006440; rev:1;)


Thanks Scott! Nice work

Matt
-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------

PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc


_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
Re: Firefox Handler sigs
country flaguser name
United States		 2007-07-27 07:40:36 
Quoting Matt Jonkman <jonkmanbleedingthreats.net>:

> By Scott Melnick, self-explanatory.
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"BLEEDING-EDGE
> CURRENT_EVENTS FireFox Remote Command EXE Mailto Link
Detected"; flow:
> from_server,established; content:"mailto:%";
nocase; content: "/../../";
> within:30; nocase;
pcre:"/(.exe|.bat|.com)/i";
>
reference:url,xs-sniper.com/blog/remote-command-exec-firefox
-2005/;
> classtype:web-application-attack; sid:2006436; rev:1;)

Getting syntax errors on the "%".  Should there be
something following  
the "%" ?

tc

------------------------------------------------------------
----
fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentse
curity.com

_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )