Custom signature to detect malicious JavaScript

Similar Messages

• Malicious Javascript code added to the bottom of my HTML

  Hello,
  Below is the code to my main page, called index.php.  It is what shows when I type my domain into the browser.  On a few occasions, when I open it in Internet Explorer, some malicious javascript code has been added to the bottom of the code.  The malicious javascript code looks like: "<script type="text/javascript">eval(String.fromCharCode(118,97,114,32,120,101,119,61,57,56,55,49, 51,49,..."
  It seems like this code then installs a fake anti-virus program on the computer of anyone who visits my site.  How can I prevent this malicious javascript from getting written into my source code?
  Thanks,
  John
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <?php
  session_start();
  unset($_SESSION['find']);
  ?>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <title>Title</title>
  <link rel="stylesheet" type="text/css" href="tablestyles.css">
  </head>
  <body>
  <div class="mainlinks"><a href="about.php" class="links">About</a><a href="testpage.php" class="links">New Testpage</a><a href="tablecreate.php" class="links">Table Create</a></div>
  <div class="line"></div>
  <div class="smalllogo"><a href="index.php"><img src="images/logo.png" alt="Tywod" width="170" height="45" border="0"/></a></div>
    <div class="searchbox">
    <form action="tsearch14.php" method="post">
    <label>Enter Topic:
    <input type="text" name="find" size="55"/>
    <input type="hidden" name="searching" value="yes" />
    <input type="submit" name="search" value="Search" />
    </label>
    </form>
    </div>
  <div class="line2"></div>
  <div class="copyright">©2009 Title</div>
  </body>
  </html>

  You may find this blog post valuable!
  http://blog.cartweaver.com/index.cfm?newsid=56
  Lawrence   *Adobe Community Expert*
  www.Cartweaver.com
  Complete Shopping Cart Application for
  Dreamweaver, available in ASP, PHP and CF

• Signature field detected - I never added a signature field

  Hi, when I open my PDF in Reader, I suddenly get a green bar along the top saying "Signature field detected." I never added a signature field to the PDF. How do I remove this green bar? Thanks, Siegfried

  Windows 7, 64.  MSIE 10. All updates installed.  And BTW, I am now in "compatability mode" - still nogo. 
  Perhaps related: I've noticed since... maybe a few months ago: The paste "cache" (or whatever it's called) works differently now.  Now if I "copy", then open a program, then hit "paste", nothing happens. That is: I have to open the target ap before copying from the original ap. 
  And so, if I want to copy from Word to Excel... If I copy, then open Excel... "paste" does nothing.  I have to go back to Word, copy again, and then paste. 
  Caveat: I have not done any troubleshooting with this.  And so, I can't say 100% that that is what's happening there.  Maybe just 95%.
  I've assumed this apparent change is some sort of new security thing from MS to prevent cross-ap pasting instigated by malware.  But other than that, paste works in every other ap I have - whether I copy from Text Editor to paste into another ap, or copy & paste within an ap, etc.  Except right here.

• Custom signature

  I have scanned my handwritten signature for use with emails. I have been able to add this to my Outlook emails in the my office on a PC but have not been able to figure out how to create a custom signature for my iphone & ipad.
  Rob

  step 1: send your handwritten signature from your PC to your iphone and ipad.
  step 2: on your iphone and ipad, hold the picture and select copy
  step 3: Go to Settings > Mail, contacts and Calendars > Signature and paste the picture
  Done

• Adding custom signature to Mail

  I know this has GOT to be easy, but I am totally stumped. I have several email accounts, and have signatures setup for each in preferences for each. My problem is that I just cannot figure out how to have my signature use any other font beside the default font. It is driving my nuts. I've even tried creating it how I want in Pages, and copying/dragging it into the signature, and it keeps changing the font to the default helvetica.
  Any ideas?

  In the Signature preferences be sure you have not checked the box to "Match the font ...." Also, be sure you have configured Mail to use Rich Tesxt rather than plain text. This is done in Mail's Composing preferences.
  If you still have problems here are two possible solutions. One is to create your custom signature in an HTML editor. A simple editor that would work is Level4 - VersionTracker or MacUpdate. Then paste the resulting HTML code for your signature into the Signature preferences in Mail. The other would be to create your signature in Pages, for example, and output a PDF file. You can then insert the PDF file as your signature.

• Custom signature for TOR Application

  Hi,
  I want to create custom signature to produce alert whenever any machine lunches TOR application, i have searched and found that there already two signatures cretaed 5816/0 5816/1, i have enabled them and tested it did not fire.
  I have ips in promoscous mode monitoring all vlans, working normally. I dont have ssl interception @ any device, so once TOR is establish then i dont have visibilty over the traffic.
  i need help in creating usch signature, i have took wireshark capture of traffic and all i can see on application layer is proxy connect and proxy port (see attached)
  thanks for your help.                

  Hi nkumarsr,
  I have cretaed tcp string signature for ports 9001, 9090
  and also i have added it in builtin signature 5816/0 and 5816/1
  i have luanch TOR and it is not fired, i took capture on client PC and seached for tcp.port == 9001 and 9090, it is not showing.
  do u have any other ideas ?

• Customer Signature in customer Master w/o DMS?

  Hi.
  Can we upload Customer Signature in Customer master without DMS(Document Management Server) ?
  Reg,
  antaa21

  Hi,
  Use transaction code VPE1 to create the sale employee and attach this to the customer number.
  Regards

• Custom signature in CSM3.0 for IDSM2 with IPS5.1

  I am trying to add a custom signature in CSM3.0 for IDSM2 which is running IPS5.1 in cat6500.I am using custom
  wizard to create the custom signature ( say "sweep" ).Under sigature, IPS5.x, I could see the created custom signature but when the sigature triggers, IPS event viewer shows only the old ( built in - sweep )signature ID and not the customized one.
  Just to test the changes in effect,
  I tried to change the event level say "low" to "high" for one of the built in signature( sweep 2100) by editing the same.Display shows the changed level, but when the sigature triggers the IPS event viewer shows the level as "low" instead of "high".
  Also I tried with enabling the check box for the option " retire".
  How do I create and test the customized signature..I tried with both IDM and CSM3.0.Any suggestions...

  The custom headers and client IP and port headers are inserted in every HTTP request packet. Full session headers and decoded client certificate fields are inserted in the first HTTP request packets; only the session ID is inserted in subsequent HTTP requests that use the same session ID. The servers are expected to cache the session or client certificate headers based on the session ID and use the session ID in subsequent requests to get the session and client certificate headers.

• WLC IPS custom signature file

  Hi,
  Where can I download the WLC IPS custom signature file? Is WLC support openLdap for user web or 802.1x authentication?
  Best Regards,
  Jackson Ku

  The documentation for 5.1 is located at:
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
  I believe the regex you want is:
  [Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
  The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

• Signature Feilds not taking info (In custom signature)

  When creating a custom signature
  - there are feilds that will not let you enter info-
  then you may not submit your signature- because feilds are missing.
  1. Is Nickname
  2. Email address
  I was under Business signature
  Thank you

  My "problem" seems to have solved itself. Very strange. What I did at my first attempt was to clone several custom signatures from a single custom rule in the IDSM. First rule worked in MARS but not the the others, only difference was that the later rules were created as subsignatures and imported into MARS as such. When that didn't work I tried to created the IDS rules as separate rules instead of subsignatures and reimport them into MARS, no luck there either.
  I removed my custom signatures from the IDSM and left everything for the weekend. When I returned this Monday and reentered the signatures into the IDSM and tried them out MARS managed to parse them correctly, even put them into the correct event group.
  I've no idea what I've done differently but it's all working fine now
  /Fredrik

• IDS Signature attack detected...

  I think my WLAN is under two DOS attacks, Deauth flood and Reassociation flood... The following are the traps shown on the controller (WLC 4402):
  IDS Signature attack detected. Signature Type: Standard, Name: Deauth flood, Description: Deauthentication flood, Track: per-Mac, Detecting AP Name: W-Seattle-StudioRm8-02Flr-B-Fa36, Radio Type: 802.11b/g, Preced: 9, Hits: 30, Channel: 1, srcMac: 00:15:AF:ED:96:36
  IDS Signature attack detected. Signature Type: Standard, Name: Reassoc flood, Description: Reassociation Request flood, Track: per-signature, Detecting AP Name: W-Seattle-StudioRm2-02Flr-B-Fa43, Radio Type: 802.11b/g, Preced: 6, Hits: 50, Channel: 6, srcMac: 00:1D:E0:99:5E
  The network is for hotel guests so there is no authentication/encryption... Any suggestions about how I can mitigate those attacks?
  In the trap messages they also list the Src MAC addresses. However I was reading about those two attacks and seems the attacks are actually spoofing MAC addresses of clients. So are they the real mac addresses of the hacker? Should I block them?
  If I should, how can I do it? I was thinking using MAC-filter however it seems only allow clients with configured MAC addresses and will deny the ones that are not listed... As you can guess, we are hotel enviroment and we can't keep allowing new MAC addresses for new guests... So any suggestions?
  Any advice is welcome! Thank you!

  When you see 'deauth flood' messages this means that an
  AP is seeing a lot of deauths in the air. These messages
  often happen when a NIC card leaves an area where there
  there are dense APs.
  If you want this to trigger less often:
  5.0:
  Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack
  Wireless Protection Policies > Standard Signatures > >
  modify/save
  for example if you wanted to see the alarm on '60' detections of
  'Deauth flood' instead of '50'.
  Below 5.0:
  You can modify the IDS settings so that the messages occurs less often
  or not at all:
  http://www.cisco.com/warp/public/102/controller_ids_sig.html
  If you want it to trigger not at all:
  Management > Trap Controls > 802.11 Security Traps > IDS Signature Attack
  Below 5.0:
  http://www.cisco.com/warp/public/102/controller_ids_sig.html

• IDS 4215 http custom signature

  Hello,
  I am trying to build a custom signature that is matching http header or body that contains certain regular expression. Any Ideas how to do that ? I tried Web Server signature but there I can only match HTTP header.

  Try this:
  1) Login to the sensor via IDM with an admin privileged account
  2) Select “Configuration -> Sensing Engine -> Signature Wizard”
  3) Select “Start the Wizard”
  4) Select the “Web Server Signature” option
  5) Set your SigID, Sig Name, Alert and User Notes as appropriate and click “Next”
  6) Adjust the service ports (if necessary) and click “Next”
  7) Given the intentions of your signature, leave the “Web Server Buffer Overflow Checks” fields empty and click “Next”
  8) Put your regex into the “HTTP Request Regular Expression” because it will match the text within the entire HTTP request. Click “Next”
  9) Set your alerting preferences (severity, etc.) and click “Next”
  10) Adjust your alerting behaviour if you want (Click “Advanced”), or accept the defaults by clicking “Next”
  11) Click on “Create” to generate the signature
  I hope this helps,
  Alex Arndt

• code en java de signature-based detection

  bonjour
  SVP avez vous un code en java de signature-based detection in vanet
  or anomalie detection please help

  please post in English

• Using IPS 6.3 customized signatures in CS MARS

  A client has a Cisco IPS 6.3 module installed in a Catalyst 6500, *with fully customized signatures* which generate thousands of alerts clearly visible in its IPS Event Viewer.
  MARS is pulling info from that IPS, but the customized signatures do not appear in any Incident. Is it possible for MARS to pull all those customized signatures??
  Thanks in advance

  The first step is to get MARS to parse the event. The next step is to create the necessary inspection rules.
  You can start here:
  http://ciscomars.blogspot.com/2008/03/custom-ips-signatures-with-cisco-mars.html

• S492 : Bad Custom Signature ID ... [5577]

  Hi,
  I've implemented signature update S492, but apparently there is a problem with the new signature 5577.1 : SMB Secure NULL Login Attempt . During the upgrade process run from our CSM V3.3.1, the deployment manager returns an error :
  instance=sig0:unspecifiedError:Bad Custom Signature ID ... [5577].  Can not create a custom signature with sig-id < 60000
  When I verifie on the sensors themselves, this new signature is nowhere to be found.
  Best regards.

  Signature# 5577 is a new signature from s492 signature update:
  http://www.cisco.com/web/software/282549755/34252/IPS-sig-S492.readme.txt
  Do you happen to have a custom signature with sig# 5577 by any chance?
  If you don't, then you might want to open a TAC case as it might be a new bug.