cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
3
Replies

Signature for new PDF XSS

rnaydenov
Level 1
Level 1

Hi,

Has someone been able to make an IPS signature for the new PDF XSS?

I have tried something on the http service engine, but I'm having troubles specifying the # symbol as well as the multiple characters that may be anything.

3 Replies 3

craiwill
Cisco Employee
Cisco Employee

We are currently looking into several new PDF vulnerabilities for inclusion in an official signature update. In the meantime, you should consider using the string-tcp engine ?from-service? on #webports for a custom signature. The easiest way to encode most characters is to use the hex ASCII (ex: \x20 for space) representation or enclose them in a character class ([ ]). If you can provide any additional information into which specific vulnerability/exploit your trying to address I may be able to be of more assistance.

In this case I think I would write a return web signature so that we detect malicious incoming web pages (instead of ones that have been clicked).

I would consider something along the following lines:

String.tcp

From service

Port: #WEBPORTS

Summary Mode: Summarize

Summary Key: Axxx

Event Key: Axxx

[Hh][Rr][Ee][Ff][=][\x22\x60][Hh][Tt][Tt][Pp][:]\x2f\x2f[^\x0d\x0a\x3e\x7e-\xff]+[.][Pp][Dd][Ff][\x23][^\x0d\x0a\x3e\x7e-\xff]+[=][Jj][Aa][Vv][Aa][Ss][Cc][Rr][Ii][Pp][Tt]\x3a

Review Cisco Networking for a $25 gift card