Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SMTP MS Windows Mail UNC navigation remote command execution rule #11837

From: Chris Stevens <chrisstevens () users sourceforge net>
Date: Mon, 5 Jul 2010 12:08:49 +1000
Hi,

I'm trying to minimise false positives on our primary snort IDS - this is
one of the alerts which seems to trigger quite often. The archives show me
the same question was asked in 2007 with no answer.

Sample packet:

ww.quivamail.com/go/?434C4A415E575F43435544534B4D5B4841
[2 non-ASCII characters]
Report Abuse: abuse () zookoda com
[2 non-ASCII characters]
--------=_NextPart_000_0030_01.1277703939358
[2 non-ASCII characters]
Content-Type: text/html;
[3 non-ASCII characters]
charset="iso-8859-1"
[2 non-ASCII characters]
Content-Transfer-Encoding: 8bit
[4 non-ASCII characters]
<zoostart />
[2 non-ASCII characters]
<html><head><meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type"><title></title></head><body><meta
http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><meta
name="ProgId" content="Word.Document"><meta name="Generator"
content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word
11"><link rel="File-List"
href="file:///C:%5CDOCUME%7E1%5CJBRESO%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><link
rel="Edit-Time-Data"
[2 non-ASCII characters]
href="file:///C:%5CDOCUME%7E1%5CJBRESO%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_editdata.mso"><!--[if
!mso]><style> v\:* {behavior:url(#default#VML);} o\:*
{behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape
{behavior:url(#default#VML);} </style><![


This alert is triggered by (after finding Content-Type: text/html)

pcre:"/.*<[^>]*href[^>]*(file\x3A|[cC]\x3A|\\\\).*>/";

Which would indicate to me that a link to any local file will fire the
alert. What have others done with this rule?

Cheers,
Chris

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: