There is an error in the pcre for this rule,
It was
pcre:"/filename=\s*[\x2ewab]/smi";
which happens to be a character class around [\x2ewab].
It should be
pcre:"/filename=\s*\x2ewab/smi";
This is the reason for these false positives.
-Blake
Nigel Houghton wrote:
0, Michael Scheidell <scheidell@secnap.net>:
Nigel Houghton wrote:
0, Michael Scheidell [1]<scheidell@secnap.net>:
Snort 2.4.4, FREEBSD 4.11.
community-smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
(msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server,
established; content:"Content-Disposition|3A|"; nocase;
pcre:"/filename=\s*[\x2ewab]/smi"; reference:cve,2006-0014;
reference:url,[2]www.microsoft.com/technet/security/bulletin/MS06-016.mspx;
classtype:suspicious-filename-detect; sid:100000279; rev:1;)
I see content-disposition at 4e0, filename at 510, I don't see the .wab:
(it is searching for Content-Disposition:.*filename=\s*.*\.wab right?)
Almost, it is looking for Content-Disposition: followed by
filename=<whatever>.wab
What about the rest of the stream data? This is just one packet right?
I don't know, are you telling me at any subsequent packet in the
stream could trigger it?
I thought that you had to have a signature match in the packet.
Not necessarily, stream4 does its thing and reconsititutes the stream
for us to look at, otherwise you would be able to evade an IDS pretty
easily by just breaking up any attack into smaller pieces.
Your data looks like one of those heinous HTML email messages and it
already has a gif in it, chances are there is a lot more data in the
stream after this packet.
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
There is no theory of evolution, just a list
of creatures Vin Diesel allows to live.
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
This email and any files transmitted with it are solely intended for the use of
the addressee(s) and may contain information that is confidential and
privileged. If you receive this email in error, please advise us by return
email immediately. Please also disregard the contents of the email, delete it
and destroy any copies immediately. Demarc Security, Inc. does not accept
liability for the views expressed in the email or for the consequences of any
computer viruses that may be transmitted with this email.
This email is also subject to copyright. No part of it should be reproduced,
adapted or transmitted without the written consent of the copyright owner.
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
