Re: [Snort-sigs] SMTP rcpt to sed command attempt

From: Matt Kettler <mkettler(at)EVI-INC.COM>
Date: Tue May 27 2003 - 15:05:26 EDT

At 11:24 PM 5/24/2003 -0400, Tony Lill wrote:
>alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed

Agreed. That rule is really silly at this point but it might be difficult to do this correctly just using "within" modifiers.. For example it could be modified to be:

content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; distance:0; within 20; reference:bugtraq,1;

Of course, the upper cap of 20 creates some false negative cases, as they can just do:

/bin/../bin/../bin/../bin/../bin/../bin/../bin/../bin/../bin/../bin/sed

to avoid it.

I suppose you could make both strings "within 255".. but that's not very helpful against false positives..

It's almost like snort needs a "before_linebreak" option so that we can look for groups of strings all on the same line. This would make a LOT of smtp rules significantly more correct and less false positive prone. Of course, before_linebreak would have to terminate on 0d or 0a since some broken mailers don't correctly use 0d 0a like they should and only send one or the other.

line_length might be another useful rule option for overflow checks in pop, smtp, etc. It would be better than the current trick which is: content: !"|0a|"; within: 500

Which gets FPs from misconfigured mailers.

---

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Tue May 27 16:02:41 2003