Snort mailing list archives
Re: [Emerging-Sigs] Offered new rule for detect last Outlook/Crypto API...
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Tue, 12 Nov 2013 17:14:06 -0600
Thanks will get this into QA. On Tue, Nov 12, 2013 at 5:49 PM, rmkml <rmkml () yahoo fr> wrote:
Hi, ok first, I have developped this rule during my new project: http://etplc.org Thx Nruns company for recently released an old design bug in Microsoft Outlook/Crypto API X.509: http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex/ http://seclists.org/fulldisclosure/2013/Nov/84 Please found a "specific" rule release for detecting this: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP SPECIFIC Microsoft Outlook/Crypto API X.509 design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft. com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/ blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:95420; rev:1;) Maybe this rule or others will be improved in future (using file_data for decoding base64, checking x509 certificate 1.1.1.1..., checking UA CryptoAPI outgoing proxy...). Don't remember checking snort variables like $SMTP_SERVERS... All comments are welcome. Regards @Rmkml _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!
------------------------------------------------------------------------------ DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Offered new rule for detect last Outlook/Crypto API... rmkml (Nov 12)
- Re: [Emerging-Sigs] Offered new rule for detect last Outlook/Crypto API... Will Metcalf (Nov 12)
- Re: Offered new rule for detect last Outlook/Crypto API... rmkml (Nov 13)