"Russell Fulton" <r.fulton@auckland.ac.nz> wrote:
I am seeing lots of false +ves like this one for this rule where snort
finds "mail from" in the body of the email. Is there some way that the
detect could be restricted to the headers?
Not easily but this particular false positive is caused by a bug in
the rule: The "isdataat" clause should be "relative". Yet better could
be to replace "isdataat" and the subsequent negative "content" with
"pcre", such as:
/^\s*MAIL FROM\:[^\n]{256}/mi
Unless I am missing something the primary content clause could also
include a colon so the full rule could be:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
(msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established;
content:"MAIL FROM\:"; nocase; pcre:"/^\s*MAIL FROM\:[^\n]{256}/mi";
reference:bugtraq,10290; reference:cve,2004-0399;
reference:url,www.guninski.com/exim1.html;
classtype:attempted-admin; sid:2590; rev:3;)
One unrelated issue is that most MTAs are more lenient with spaces
than RFC 821 allows (although I cannot comment on exim). This rule
could be theoretically evaded by replacing the space with a tab
or two spaces. A more robust (but also more expensive) variant would
be to reduce the primary content clause to a single word, such as:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
(msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established;
content:"FROM\:"; nocase; pcre:"/^\s*MAIL\s+FROM\:[^\n]{256}/mi";
reference:bugtraq,10290; reference:cve,2004-0399;
reference:url,www.guninski.com/exim1.html;
classtype:attempted-admin; sid:2590; rev:3;)
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
