iframe 삽입된 이미지 파일 탐지

http://www.emergingthreats.org/rules/emerging.rules 에서 있는 룰입니다.

해당 룰은 iframe이 삽인된 이미지 볼 때 탐지합니다.

테스트를 거쳐서 웹 서버로 업로드 되는 룰을 만들어야 겠네요..^^

#by Michael Sconzo of ERCOT

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) – Likely SQL Injection Attacks Related”; flow:established,from_server; content:”|0d 0a|content-type|3a| “; nocase; content:” image/jpeg”; nocase; distance:0; within:30; content:”.*?<\/iframe>/im”; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008313; rev:4;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS Iframe in Purported Image Download (gif) – Likely SQL Injection Attacks Related”; flow:established,from_server; content:”|0d 0a|content-type|3a| “; nocase; content:” image/gif”; nocase; distance:0; within:30; content:”.*?<\/iframe>/im”; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008314; rev:4;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”ET CURRENT_EVENTS Iframe in Purported Image Download (png) – Likely SQL Injection Attacks Related”; flow:established,from_server; content:”|0d 0a|content-type|3a| “; nocase; content:” image/png”; nocase; distance:0; within:30; content:”.*?<\/iframe>/im”; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008315; rev:4;)

Advertisements

About this entry