Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule 13573 question

From: Alex Kirk <akirk () sourcefire com>
Date: Wed, 5 Oct 2011 11:55:36 -0400
No, you don't run Outlook on port 80...but Outlook gets called when you
click a "mailto:"; link out of an HTML document over port 80, and that's why
the rule is written like it is.

As for that URL triggering it - the rule was written with HTML tags in mind,
and the data that trips it looks like JSON. I've got an idea of how to fix
up the rule, we'll open up an internal bug to verify my idea before sending
it out.

On Wed, Oct 5, 2011 at 10:30 AM, Lay, James <james.lay () wincofoods com>wrote:


Rule:****

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Microsoft Outlook arbitrary command line attempt ";
flow:from_server,established; content:"mailto|3A|"; nocase;
pcre:"/mailto\x3a[^>]*\?[^>]*(\x22|%22)(\x2c|%2c)/smi";
reference:cve,2008-0110; reference:url,
www.microsoft.com/technet/security/bulletin/MS08-015.mspx;
classtype:misc-attack; sid:13573; rev:4;)****

** **

In looking at the MS bulletin, this is an Outlook client issue yes?  Do
people run Outlook over port 80?  Anyways, the below link will fire this one
off.****

** **

http://static.meteorsolutions.com/metsol.js****

** **

James****


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: