I have a few Snort rules to signal an alert when a JS file is being downloaded from a web page, however none of them are triggering. I'm not quite sure of the details of writing snort rules, so these were some guesses pooled from various readings.
Not sure if having gzip encoded JS files makes a huge difference, but I did check my snort.conf file and it does contain the following options under
preprocessor http_inspect_server: server default \
.....
extended_response_inspection \
inspect_gzip \
normalize_utf \
unlimited_decompress \
normalize_javascript \
None of the 3 alerts below trigger even though the JS files contain the word "function", and the html file contains js with the following words "snort team!"
alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (msg:"JS-Detect1"; file_data; content:"function"; sid:1000000)
alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (file_data; content:"snort team!"; nocase; msg:"JS-Detect2"; sid:1000001)
alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (file_data;content:"<script>"; nocase; msg:"JS-Detect3"; sid:1000002)
The following alert is triggering which is contained in the same rule file.
alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (msg:"JS-Detect4"; sid:1000003)
Any advice or help for writing a snort rule that will trigger an alert when downloading a JS file, or necessary modifications to the snort.conf would be be of great help! Thanks.
Related
I have a scheduled task that starts a hidden-window PowerShell script. The script does some stuff, starts an HTA and waits for the HTA to close:
Start-Process $HTApath -Wait
and then the PoSh script does some other stuff. Everything works great on many machines (Win7 & 10), but other (fairly stock) systems, the HTA often doesn't come to the front and is not seen for hours/days. That's a problem.
I have included javascript:
<script type="text/javascript">
[...]
window.focus();
AND vbscript:
<script language='vbscript'>
Sub window_toFront
Set Shell = CreateObject("WScript.Shell")
Shell.AppActivate("UAlbany Security Updates Policy Reboot Notice")
End Sub
window_toFront
in the HTA, and I've put in timed loops to repeat the attempts. On the machines where the window comes to the front initially, the loops do a very nice job forcing the window back to the front, but on the machines that ignore the directive, repeating the attempt does nothing. Those machines are running the other VBS/JS scripts in the HTA; It is ONLY the push-to-front commands that are not working.
I also tried this "evil" method. It also failed to work on some machines (and crashed a VM).
I've tried testing PoSh options that could be used externally to the HTA (i.e. replacing the Start-Process call in the scheduled script):
Add-Type #"
using System;
using System.Runtime.InteropServices;
public class Tricks {
[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
public static extern bool SetForegroundWindow(IntPtr hWnd);
}
"#
$PID = [diagnostics.process]::start("HTApath").id
start-sleep -Seconds 1
$Handle = (Get-Process -Id $PID).MainWindowHandle
While ((Get-Process -Id $PID -ErrorAction SilentlyContinue) -ne $null) {
Start-Sleep -Seconds 1
[void] [Tricks]::SetForegroundWindow($Handle)
}
but it only seems to work if the PoSh window is made active (which won't happen for this process).
Does anyone have any suggestions for getting this to work? I'm particularly interested in understanding why the internal-HTA methods are so hit-or-miss; Is there a Windows/IE setting that could cause this?
Thanks!
Here is the issue that has been nagging for weeks and all solutions found online do not seem to work... ie. wait for ajax, etc...
here is versions of gems:
capybara (2.10.1, 2.7.1)
selenium-webdriver (3.0.1, 3.0.0)
rspec (3.5.0)
running ruby 2.2.5
ruby 2.2.5p319 (2016-04-26 revision 54774) [x64-mingw32]
in the env.rb
Capybara.register_driver :selenium do | app |
browser = (ENV['browser'] || 'firefox').to_sym
Capybara::Driver::Selenium.new(app, :browser => browser.to_sym, :resynchronize => true)
Capybara.default_max_wait_time = 5
end
Here is my dynamicpage.feature
Given I visit page X
Then placeholder text appears
And the placeholder text is replaced by the content provided by the json service
and the step.rb
When(/^I visit page X$/) do
visit('mysite.com/productx/')
end
When(/^placeholder text appears$/) do
expect(page).to have_css(".text-replacer-pending")
end
Then(/^the placeholder text is replaced by the content provided by the json service$/) do
expect(page).to have_css(".text-replacer-done")
end
the webpage in question, which I cannot add it here as it is not publicly accessible, contains the following on page load:
1- <span class="text-replacer-pending">Placeholder Text</span>
after a call to an external service (which provides the Json data), the same span class gets refreshed/updated to the following;
2- <span class="text-replacer-done">Correct Data</span>
The problem I have with the "visit" method in capybara + selenium is that as soon as it visits the page, it thinks everything loaded and freezes the browser, and it never lets the service be called to dynamically update the content.
I tried the following solutions but without success:
Capybara.default_max_wait_time = 5
Capybara::Driver::Selenium.new(app, :browser => browser.to_sym, :resynchronize => true)
add sleep 5 after the visit method
wait for ajax solution from several websites, etc...
adding after hooks
etc...
I am at a complete loss why "visit" can't wait or at least provide a simple solution to an issue i am sure is very common.
I am aware of the capybara methods that wait and those that don't wait such as 'visit' but the issue is;
there is no content that goes from hidden to displayed
there is there is no user interaction either, just the content is getting updated.
also unsure if this is a capybara issue or a selenium or both.
Anyhow have insight on any solutions? i am fairly new to ruby and cucumber so specifically what code goes in what file/folder would be much appreciated.
Mel
Restore wait_until method (add it to your spec_helpers.rb)
def wait_until(timeout = DEFAULT_WAIT_TIME)
Timeout.timeout(timeout) do
sleep(0.1) until value = yield
value
end
end
And then:
# time in seconds
wait_until(20) { has_no_css?('.text-replacer-pending') }
expect(page).to have_css(".text-replacer-done")
#maxple and #nattf0dd
Just to close the loop on our issue here...
After looking at this problem from a different angle,
we finally found out Cucumber/Capybara/ is not a problem at all :-)
The issue we are having lies with the browser Firefox driver (SSL related), since we have no issues when running the same test with the Chrome driver.
I do appreciate the replies and suggestions and will keep those in mind for future.
thanks again!
#!/usr/bin/perl -w
use warnings;
use diagnostics;
use CGI::Carp 'fatalsToBrowser';
use CGI qw(-debug);
use CGI ':standard';
print header(),
start_html(-title => "OutSide File", -script =>{-type=>"text/javascript",-src=>"javascript/javafile.js"}),
' mouse On ',
end_html;
javafile.js is -
function testfunc(){
alert("File")
}
The testfunc does not alert on the screen
I created the HTML file with
perl test.pl >test.html
and opened the resulting file in Firefox and IE. The alert shows up perfectly.
Some issues, which might prevent the alert from happening
Wrong directory hierarchy, javafile.js must be in a javascript subdirectory
Javascript is suppressed by Noscript (Firefox) or disabled in the appropriate security zone (IE)
I was using fiddler core proxy to do some script injection. I noticed that gmail login just failed after its login progress bar moving forward and backward for some time. A sample is given below using c#, tested using google chrome as the browser. The below code goes inside the beforeresponse event of fiddler proxy where oS is the HTTP session.
oS.utilDecodeResponse();
oS.utilReplaceInResponse("</body>", "<script type='text/javascript'>var a = 10;</script></body>");
Updated
As Eric have suggested I made sure that the script is not making conflict with any other java script variables. Added the script only in the expected page when gmail logs in. However the problem is still there.
if (oS.oRequest.headers.HTTPMethod == "GET" || oS.oRequest.headers.HTTPMethod == "POST")
{ //exclude other HTTP Status codes
if (oS.oResponse.headers.HTTPResponseStatus == "200 OK")
{
if (!oS.oRequest.headers.Exists("X-Requested-With"))
{
var accept = oS.oRequest.headers.FindAll("Accept");
if (accept[0].Value.Contains("text/html"))
{
if (oS.oResponse.MIMEType == "text/html")
{
oS.utilDecodeResponse();
string script = "alert("Hello");"
//The main http request after gmail login has a response with a script closing tag before body closing, so I am replacing it with my script added.
oS.utilReplaceOnceInResponse("</script></body>", script + "</script></body>", false));
}
}
}
}
}
Works fine with chrome, however in safari and opera, alert is called infinitely so as the HTTP request to reload the page.
The problem you're having is that your replacement is insufficiently precise. You're replacing ALL instances of </body> on ALL pages with a string containing quotation marks. However, in some of the instances, the string you're replacing is appearing within JavaScript strings in the Google application, and as a consequence you're mangling the JavaScript string and causing a script error.
Use the following script sample to get a better understanding of all of the places you're replacing, then update your script to more specifically replace the expected string on only the expected page.
oSession.utilDecodeResponse();
if (oSession.utilReplaceInResponse("</body>", '<!-- INJECTED --></body>'))
{
oSession["ui-backcolor"] = "lime";
}
I would like to test how loading external javascripts affect the page when remote servers are slow to respond.
I looked for tools that can slow down connection for specific sites but I could only find tools that slow down the whole network or that don't exist for Mac (like here or here)
Are there tools like that?
Using the Detours App for Mac, you can redirect certain hosts to your own local web server. From your server, you can then fetch the resource (via curl, etc.), sleep for a certain amount of time, and then return the response.
Its not the easy way out, but you could use IPTABLES (unix ip-router) in conjunction with TC (traffic control)?
This is quite extensive if you dont know how terminal bash-scripting works but you will need a terminal 100% for a proper solution.
If this does not work for you, try a simpler method: http://lartc.org/howto/lartc.ratelimit.single.html
Store this in for instance your home folder, call it bwm.sh
#!/bin/bash
# through this interface
IF=$1
# on this HOST
HOST=$2
# get the IP from HOST
HOSTIP="`nslookup $HOST|grep Address|grep -v "#"|cut -d " " -f2`"
# with this rate
your_rate=$3
# defaults /sbin/tc
TC="`whereis tc | sed 's/[^\ ]*.\([^\ ]*\).*/\1/'`"
# defaults /sbin/iptables
IPTABLES="`whereis iptables | sed 's/[^\ ]*.\([^\ ]*\).*/\1/'`"
#some number
PRIO="123"
# you create a new rule in the mangle table
IPT="$IPTABLES -t mangle"
echo "Program locations found: iptables: $IPTABLES and tc: $TC"
echo "down-rating bandwidth\n on $HOST\n to $your_rate whilst marking packages that origins\n from $HOSTIP\n with $PRIO on interface\n named $IF"
echo -n "starting setup.."
# apply custom filter
$IPT -N myfilter
# add it to the POSTROUTING chain
$IPT -A POSTROUTING -j myfilter
# if conntrack is used - restore a mark and allow the packets, which already have been marked, through - no need to check again
$IPT -A myfilter -p tcp -j CONNMARK --restore-mark
$IPT -A myfilter -m mark --mark $PRIO -j ACCEPT
# add to it your matching rule
$IPT -A myfilter -p tcp -s $HOSTIP -j MARK --set-mark $PRIO
# conntrack it optionally, so not every packet has to be rematched
$IPT -A myfilter -j CONNMARK --save-mark
# use that mark in a tc filter rule
echo qdisc add
$TC qdisc add dev $IF root handle 1: htb default 30
echo class add
$TC class add dev $IF parent 1: classid 1:1 htb rate $your_rate # <<<<<<<< fill in rate
echo sfq add
# add an SFQ qdisc to the end - to which you then attach the actual filter
$TC qdisc add dev $IF parent 1:1 sfq perturb 10
echo filter add
$TC filter add dev $IF parent 1:1 prio 1 handle $PRIO fw flowid 1:1
echo "done"
Now open terminal window and achieve root permissions
finder > terminal > open, we will go to user home and enter super user
cd; su
enter root password
start program with Interface, Hostname, Rate parameters
sh bwm.sh IF HOST RATE