Snort mailing list archives

Re: Offered new rule for detect last Outlook/Crypto API...

From: rmkml <rmkml () yahoo fr>
Date: Wed, 13 Nov 2013 17:02:51 +0100 (CET)

ok please check a new version: (but not for Suricata20b1, sorry)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP SPECIFIC Microsoft Outlook/Crypto API X.509 oid 
id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; 
content:"application/pkcs7-signature|3B|"; nocase;
file_data; content:"|06 08 2B 06 01 05 05 07 01 01|"; distance:0; content:"http://";; within:50; distance:0; 
pcre:"/^[^\/]*?\:\d+\//R";
reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; 
reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; 
classtype:attempted-admin; sid:95420; rev:2;)

Created during my new project http://etplc.org

Regards
@Rmkml


On Wed, 13 Nov 2013, rmkml wrote:

Hi,

ok first, I have developped this rule during my new project: http://etplc.org

Thx Nruns company for recently released an old design bug in Microsoft 
Outlook/Crypto API X.509:

http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex/
http://seclists.org/fulldisclosure/2013/Nov/84

Please found a "specific" rule release for detecting this:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP SPECIFIC 
Microsoft Outlook/Crypto API X.509 design bug allow blind HTTP requests 
attempt";
flow:to_server,established; content:"multipart/signed|3B|"; nocase; 
content:"application/pkcs7-signature|3B|"; nocase; distance:0; 
content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; 
distance:0;
reference:cve,2013-3870; 
reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; 
reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; 
classtype:attempted-admin; sid:95420; rev:1;)

Maybe this rule or others will be improved in future (using file_data for 
decoding base64, checking x509 certificate 1.1.1.1..., checking UA CryptoAPI 
outgoing proxy...).

Don't remember checking snort variables like $SMTP_SERVERS...

All comments are welcome.

Regards
@Rmkml


------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Offered new rule for detect last Outlook/Crypto API... rmkml (Nov 12)
- Re: [Emerging-Sigs] Offered new rule for detect last Outlook/Crypto API... Will Metcalf (Nov 12)
- Re: Offered new rule for detect last Outlook/Crypto API... rmkml (Nov 13)