Rule Category

BROWSER-IE -- Snort has detected traffic known to exploit vulnerabilities present in the Internet Explorer browser, or products that have the Trident or Tasman engines.

Alert Message

BROWSER-IE Microsoft Internet Explorer redirect to cdl protocol attempt

Rule Explanation

This preprocessor fires when Snort detects Javascript obfuscation levels in excess of what it is configured to allow

What To Look For

Snort monitors how much obfuscation Javascripts on webpages use. When multiple levels are observed this alert is generated as excessive obfuscation is a suspicious practice.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

In the modern web a sizeable amount of Javascript code is obfuscated in order to keep it moderately "secret". This is a practice that should be discouraged because it makes it harder to distinguish this code from malicious code trying to avoid inspection.

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Defense Evasion

Technique: Obfuscated Files or Information

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information

CVE-2011-1262
Microsoft Internet Explorer 7 through 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "HTTP Redirect Memory Corruption Vulnerability."
Details
SeverityHIGH Base Score9.3
Impact Score10.0 Exploit Score8.6
Confidentiality ImpactCOMPLETE Integrity ImpactCOMPLETE
Availability ImpactCOMPLETE Access Vector
AuthenticationNONE Ease of Access