Snort mailing list archives

Re: Rule thoughts

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 06 Sep 2012 16:06:58 -0600

On 2012-09-06 13:08, James Lay wrote:

Hey all,

So...been keeping my eye on:

http://seclists.org/bugtraq/2012/Sep/29

and was interested in this portion to have Snort look at:

   @font-face
   {
     font-family: "MyFont";
     src: url(mailto:xxx<... approximately 2,020 characters removed
...>xxx);
   }

My thought was to do something like:

content: "mailto:<"; content: ">"; within: 1500;

or would offset be more appropriate?  Any pointers would help...thank
you.

James


So ok...here's what I got (admit it...you saw this coming ;)).  Thanks 
to Joel, Nathan, and Rmkml for the HUGE help.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT 
Unusually long mailto, possibly malicious"; flow:to_server, established; 
content:"mailto:<"; isdataat:200,relative; content:!">"; within:200; 
content:!"|0A|"; within:200; classtype:bad-unknown; sid:10000022; 
reference:url,http://seclists.org/bugtraq/2012/Sep/29; rev:1;)

This could possibly be extended to port 25 as well to determine initial 
point of entry.  I don't really have a pcap of this to test (booooo) but 
so far no hits in a live environment...I honestly don't really ever 
expect to see this ever hit, but eh...who knows.  The vuln that brought 
this about is already patched with MS012-052, so this may have just been 
an exercise in learning and not much else.  Thanks all!

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Rule thoughts James Lay (Sep 06)
- Re: Rule thoughts Joel Esler (Sep 06)
  - Re: Rule thoughts James Lay (Sep 06)
  - Re: Rule thoughts waldo kitty (Sep 07)
- Re: Rule thoughts lists () packetmail net (Sep 06)
  - Re: Rule thoughts James Lay (Sep 06)
    - Re: Rule thoughts rmkml (Sep 06)
    - Re: Rule thoughts James Lay (Sep 06)
- Re: Rule thoughts James Lay (Sep 06)