Snort mailing list archives
Re: Rule 13573 question
From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 5 Oct 2011 11:55:36 -0400
No, you don't run Outlook on port 80...but Outlook gets called when you click a "mailto:" link out of an HTML document over port 80, and that's why the rule is written like it is. As for that URL triggering it - the rule was written with HTML tags in mind, and the data that trips it looks like JSON. I've got an idea of how to fix up the rule, we'll open up an internal bug to verify my idea before sending it out. On Wed, Oct 5, 2011 at 10:30 AM, Lay, James <james.lay () wincofoods com>wrote:
Rule:**** alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft Outlook arbitrary command line attempt "; flow:from_server,established; content:"mailto|3A|"; nocase; pcre:"/mailto\x3a[^>]*\?[^>]*(\x22|%22)(\x2c|%2c)/smi"; reference:cve,2008-0110; reference:url, www.microsoft.com/technet/security/bulletin/MS08-015.mspx; classtype:misc-attack; sid:13573; rev:4;)**** ** ** In looking at the MS bulletin, this is an Outlook client issue yes? Do people run Outlook over port 80? Anyways, the below link will fire this one off.**** ** ** http://static.meteorsolutions.com/metsol.js**** ** ** James**** ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rule 13573 question Lay, James (Oct 05)
- Re: Rule 13573 question Alex Kirk (Oct 05)