Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs

from [Nigel Houghton] Network Security [Permanent Link]
Subject: [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?
Date: Wed, 12 Apr 2006 09:58:06 -0500 
 0, Michael Scheidell <scheidell@secnap.net>:

   Nigel Houghton wrote:

 0, Michael Scheidell [1]<scheidell@secnap.net>:


Snort 2.4.4, FREEBSD 4.11.

community-smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
(msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server,
established; content:"Content-Disposition|3A|"; nocase;
pcre:"/filename=\s*[\x2ewab]/smi"; reference:cve,2006-0014;
reference:url,[2]www.microsoft.com/technet/security/bulletin/MS06-016.mspx;
classtype:suspicious-filename-detect; sid:100000279; rev:1;)

I see content-disposition at 4e0, filename at 510, I don't see the .wab:
(it is searching for Content-Disposition:.*filename=\s*.*\.wab  right?)



Almost, it is looking for Content-Disposition: followed by
filename=<whatever>.wab

What about the rest of the stream data? This is just one packet right?

   I  don't  know,  are  you  telling  me at any subsequent packet in the
   stream could trigger it?
   I thought that you had to have a signature match in the packet.


Not necessarily, stream4 does its thing and reconsititutes the stream
for us to look at, otherwise you would be able to evade an IDS pretty
easily by just breaking up any attack into smaller pieces.

Your data looks like one of those heinous HTML email messages and it
already has a gif in it, chances are there is a lot more data in the
stream after this packet.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Michael Scheidell
Next by Date:  Re: [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Blake Hartstein
Previous by Thread:  [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Michael Scheidell
Next by Thread:  Re: [Snort-sigs] Re: Community rules, 100000279? Pcre error? Signature needs tightening up?, Blake Hartstein
Indexes:  [Date] [Thread] [Top] [All Lists]