I was originally going to include this image in the HOPE and Defcon talk I did earlier this year when talking about 8ball, but we conservatively decided not to.
If you are viewing this blog post at a location that uses an IDS, then the people that review the logs may get an alert or two. Nice that I warn of that now ;). Explanation after the image.
If you run strings on the jpg, after sifting through some of the garbage, you’ll eventually notice this peculiar string:
The fact that I put that string on this page should cause some more alerts…
Go ahead and hop on over to these alerts and search for these sids: 2000106, 2100139, 2017330, 2100981, and 2101008.
If you don’t feel like searching those pages, here’s the rules for your convenience:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL sp_delete_alert attempt"; flow:to_server,established; content:"sp_delete_alert"; nocase; fast_pattern:only; reference:url,doc.emergingthreats.net/2000106; classtype:attempted-user; sid:2000106; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; fast_pattern:only; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:2100139; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:14;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL ATTACK_RESPONSE del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101008; rev:9;)
Not all of these rules are guaranteed to be uncommented out, the same revision, or enabled in your environment (assuming it uses snort or suricata). Additionally, If using a SIEM or anything else that may normalize or logic some of this stuff out, it may still not come through.
However, at the time of creating this image, all 5 alerts would trigger every time I loaded the image.
The best part is that the string that triggers the alerts is graphically that little glitch near the top of that “white powder” that the animals are eye-balling. In other words: They are literally snorting strings that light them up!