Network Security: Detailed info on Re: [Snort-sigs] new rule for detect IMAP Qualcomm WorldMail SELECT dot

Subject:	Re: [Snort-sigs] new rule for detect IMAP Qualcomm WorldMail SELECT dot dot attempt
Date:	Fri, 18 Nov 2005 08:03:09 -0800

Hi, From securityfocus.com/bid/15488/exploit "2 select ./../../administrator/inbox" The pcre you have listed below will not detect this case because there is a leading './'

Required rule number before the select, there are some examples in the protocol where a letter is included like so "A142 SELECT INBOX". I think omitting the ^ might be a better solution

Taking these into account, it can be changed to pcre:"/\d*\s+SELECT\s+[^\n]*?\.\./smi";

Cheers,
-Blake


rmkml wrote:

Hi,
please check and add this new rule :
imap.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"|2E 2E|"; nocase; pcre:"/^\d*\s*SELECT\s*\.\./smi"; nocase; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; )

On my test, imap protocol require rule number before cmd (select), maybe Im wrong...
Improve/comments are welcome.
Regards
Rmkml
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


--
This email and any files transmitted with it are solely intended for the use of 
the addressee(s) and may contain information that is confidential and 
privileged.  If you receive this email in error, please advise us by return 
email immediately. Please also disregard the contents of the email, delete it 
and destroy any copies immediately.  Demarc Security, Inc. does not accept 
liability for the views expressed in the email or for the consequences of any 
computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or transmitted without the written consent of the copyright owner.

-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] new rule for detect IMAP Qualcomm WorldMail SELECT dot dot attempt, rmkml Re: [Snort-sigs] new rule for detect IMAP Qualcomm WorldMail SELECT dot dot attempt, Blake Hartstein <=

Previous by Date:	[Snort-sigs] new rule for detect IMAP Qualcomm WorldMail SELECT dot dot attempt, rmkml
Next by Date:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:	[Snort-sigs] new rule for detect IMAP Qualcomm WorldMail SELECT dot dot attempt, rmkml
Next by Thread:	[Snort-sigs] new rule for detect smtp open relay test message, rmkml
Indexes:	[Date] [Thread] [Top] [All Lists]