Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs

from [Michael Scheidell] Network Security [Permanent Link]
Subject: [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?
Date: Wed, 12 Apr 2006 10:50:01 -0400
Nigel Houghton wrote:
0, Michael Scheidell <scheidell@secnap.net>:
Snort 2.4.4, FREEBSD 4.11.

community-smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
(msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server,
established; content:"Content-Disposition|3A|"; nocase;
pcre:"/filename=\s*[\x2ewab]/smi"; reference:cve,2006-0014;
reference:url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx;
classtype:suspicious-filename-detect; sid:100000279; rev:1;)

I see content-disposition at 4e0, filename at 510, I don't see the .wab:
(it is searching for Content-Disposition:.*filename=\s*.*\.wab right?)
Almost, it is looking for Content-Disposition: followed by
filename=<whatever>.wab

What about the rest of the stream data? This is just one packet right?
I don't know, are you telling me at any subsequent packet in the stream could trigger it?

I thought that you had to have a signature match in the packet.


--
Michael Scheidell, CTO
SECNAP Network Security
561-999-5000, x 1131

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Nigel Houghton
Next by Date:  [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Nigel Houghton
Previous by Thread:  [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Nigel Houghton
Next by Thread:  [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Nigel Houghton
Indexes:  [Date] [Thread] [Top] [All Lists]