New rule SID question ...

["Hicks, John" <JHicks () JUSTICE GC CA>]

Hello all,

        I just got an email anouncing a new M$ Encapsulated SMTP Address
Vulnerability (attached for reference) and I'm trying to write a new rule
for this, but have 1 question. What do I assign as a SID??? Do I have to
look for an unused one from some master list???

Thanks in advance,

John

----- Original Message -----
From: <support () securiteam com>
To: <list () securiteam com>
Sent: Friday, July 12, 2002 1:36 PM
Subject: [NT] IIS Microsoft SMTP Service Encapsulated SMTP Address
Vulnerability


> The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com
> - - promotion
>
> When was the last time you checked your server's security?
> How about a monthly report?
> http://www.AutomatedScanning.com - Know that you're safe.
> - - - - - - - - -
>
>
>
>   IIS Microsoft SMTP Service Encapsulated SMTP Address Vulnerability
> ------------------------------------------------------------------------
>
>
> SUMMARY
>
> Laurent Frinking of Quark Deutschland GmbH originally discovered this
> vulnerability. At that time, the discovery concerned all versions of
> Microsoft Exchange 5.5 prior to SP2 with the SP2 IMC patch.
>
> Portcullis has discovered that the Microsoft SMTP Service available with
> IIS 4.0 and IIS 5.0 is also vulnerable to the encapsulated SMTP address
> vulnerability even with anti-relaying features enabled. This vulnerability
> allows hosts that are not authorized to relay e-mail via the SMTP server
> to bypass the anti-relay features and send mail to foreign domains.
>
> DETAILS
>
> Impact:
> The anti-relay rules will be circumvented allowing spam and spoofed mail
> to be relayed via the SMTP mail server.
>
> Spam Mail:
> If the Microsoft IIS SMTP Server is used to relay spam mail this could
> result in the mail server being black holed causing disruption to the
> service.
>
> Spoofed e-mail:
> As the Microsoft IIS SMTP Service is most often utilized in conjunction
> with IIS for commercial use this flaw could be used in order to engineer
> customers particularly because spoofed e-mail relayed in this way will
> show the trusted web server in the SMTP header.
>
> Exploit:
> 220 test-mailer Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready
> at Tue, 28 May 2002 14:54:10 +0100
> helo
> 250 test-mailer Hello [IP address of source host]
> MAIL FROM: test () test com
> 250 2.1.0 test () test com....Sender OK
> RCPT TO: test2 () test com
> 550 5.7.1 Unable to relay for test () test com
> RCPT TO: IMCEASMTP-test+40test+2Ecom () victim co uk
> 250 2.1.5 IMCEASMTP-test+40test+2Ecom () victim co uk
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> Subject: You are vulnerable.
>
>
> ADDITIONAL INFORMATION
>
> The information has been provided by  <mailto:TLR () portcullis-security com>
> TLR.
>
>
>
> ========================================
>
>
> This bulletin is sent to members of the SecuriTeam mailing list.
> To unsubscribe from the list, send mail with an empty subject line and
body to: list-unsubscribe () securiteam com
> In order to subscribe to the mailing list, simply forward this email to:
list-subscribe () securiteam com
> ====================
> ====================
>
> DISCLAIMER:
> The information in this bulletin is provided "AS IS" without warranty of
any kind.
> In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users