Rule

--
Sid
23226

--
Summary:
This event is generated when a suspicious JavaScript routine associated with known malicious web pages is executed.

--
Impact:
Likely malicious content hosted on the web page being downloaded.

--
Detailed Information:
This rule looks for a custom function being declared as the current browser window's error handling routine. Specifically, it looks for a function with always returns true, which effectively suppresses all errors on the page. This is a useful technique for hiding exploitation.

--
Affected Systems:
All web browsers are potentially vulnerable to malicious content hosted on sites like this.

--
Attack Scenarios:
Attackers would declare this function near the start of execution of an exploit page, in order to suppress non-fatal errors during the exploitation process.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Examine the packet for signs that the rest of the page contained maliciou data. Check for other IDS or other tool events related to the TCP stream in question. Verify patch levels and antimalware solutions, such as FireAMP, on the endpoint host. If exploitation appears to have occurred, consider rebuilding the impacted machine.

--
Contributors:
Sourcefire Vulnerability Research Team

--
Additional References:

None. 
--
