[Snort-sigs] Pass rules for Exchange 2000 OWA

Cessna, Michael MCessna at ...153...
Tue Oct 23 12:21:15 EDT 2001


Looks like I spoke a little too soon. The original pass rule works but now
other OWA packets are tripping the web-cgi calendar rule. I'll add all that
I can find to the pass rules and post to them to the list when I think I
have them all.
Thanks again for the help,
Mike

-----Original Message-----
From: Cessna, Michael [mailto:MCessna at ...153...]
Sent: Tuesday, October 23, 2001 2:37 PM
To: 'Dell, Jeffrey'
Cc: snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Pass rules for Exchange 2000 OWA


Thanks for the help that seems to have done the trick. Is there a
performance difference between using content matching and uricontent
matching?
Mike

-----Original Message-----
From: Dell, Jeffrey [mailto:JDell at ...155...]
Sent: Tuesday, October 23, 2001 2:02 PM
To: 'Cessna, Michael'
Subject: RE: [Snort-sigs] Pass rules for Exchange 2000 OWA


Michael,
 
Lets try to trim this down a bit.. here is your rule:
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA connection"; flags: A+; content: "SEARCH /exchange";
depth: 8; nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070;
rev:1;)
 
Here is a trimmed down version:
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA connection"; flags: A+; uricontent: "/exchange";
nocase;)
 
I basically took out a lot of crap that is ignored for a pass rule and made
it a uricontent instead of just a content. This should work. if not, let me
know. I have another idea.
 
Jeff
 

-----Original Message-----
From: Cessna, Michael [mailto:MCessna at ...153...]
Sent: Tuesday, October 23, 2001 1:28 PM
To: 'Dell, Jeffrey'; Cessna, Michael; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Pass rules for Exchange 2000 OWA


I should have said that I have the -o switch, sorry about that. But I
restarted snort and checked to make sure that the -o was there anyway. It
was and it's still tripping the webdav rule.
Here's the packet payload that just tripped the webdav rule.
000 : 53 45 41 52 43 48 20 2F 65 78 63 68 61 6E 67 65   SEARCH /exchange
010 : 2F 67 73 74 65 65 72 65 2F 49 6E 62 6F 78 2F 20   /gsteere/Inbox/ 
020 : 48 54 54 50 2F 31 2E 31 0D 0A 63 6F 6E 74 65 6E   HTTP/1.1..conten
030 : 74 2D 74 79 70 65 3A 20 74 65 78 74 2F 78 6D 6C   t-type: text/xml
040 : 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67   ..Accept-Languag
050 : 65 3A 20 65 6E 2D 75 73 0D 0A 42 72 69 65 66 3A   e: en-us..Brief:
060 : 20 74 0D 0A 72 61 6E 67 65 3A 20 72 6F 77 73 3D    t..range: rows=
070 : 30 2D 32 34 0D 0A 52 65 66 65 72 65 72 3A 20 68   0-24..Referer: h
080 : 74 74 70 3A 2F 2F 77 65 62 6D 61 69 6C 2E 72 74   ttp://webmail.rt
090 : 6D 2E 63 6F 6D 2F 65 78 63 68 61 6E 67 65 2F 67   m.com/exchange/g
0a0 : 73 74 65 65 72 65 2F 49 6E 62 6F 78 2F 3F 43 6D   steere/Inbox/?Cm
0b0 : 64 3D 63 6F 6E 74 65 6E 74 73 0D 0A 43 6F 6F 6B   d=contents..Cook
0c0 : 69 65 3A 20 73 65 73 73 69 6F 6E 69 64 3D 66 35   ie: sessionid=f5
0d0 : 66 31 36 65 30 37 2D 33 32 61 39 2D 34 39 37 36   f16e07-32a9-4976
0e0 : 2D 39 63 33 33 2D 32 65 37 34 31 33 32 38 39 62   -9c33-2e7413289b
0f0 : 64 34 2C 30 78 34 30 39 3B 20 53 49 54 45 53 45   d4,0x409; SITESE
100 : 52 56 45 52 3D 49 44 3D 62 64 64 34 64 65 37 39   RVER=ID=bdd4de79
110 : 34 35 61 35 62 34 38 35 38 32 39 38 31 39 37 36   45a5b48582981976
120 : 63 34 66 62 33 32 63 39 0D 0A 55 73 65 72 2D 41   c4fb32c9..User-A
130 : 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E   gent: Mozilla/4.
140 : 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D   0 (compatible; M
150 : 53 49 45 20 35 2E 30 31 3B 20 57 69 6E 64 6F 77   SIE 5.01; Window
160 : 73 20 4E 54 20 35 2E 30 29 0D 0A 48 6F 73 74 3A   s NT 5.0)..Host:
170 : 20 77 65 62 6D 61 69 6C 2E 72 74 6D 2E 63 6F 6D    webmail.rtm.com
180 : 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65   ..Connection: Ke
190 : 65 70 2D 41 6C 69 76 65 0D 0A 41 75 74 68 6F 72   ep-Alive..Author
1a0 : 69 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 61   ization: Negotia
1b0 : 74 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 41   te TlRMTVNTUAADA
1c0 : 41 41 41 47 41 41 59 41 47 41 41 41 41 41 59 41   AAAGAAYAGAAAAAYA
1d0 : 42 67 41 65 41 41 41 41 41 34 41 44 67 42 41 41   BgAeAAAAA4ADgBAA
1e0 : 41 41 41 44 67 41 4F 41 45 34 41 41 41 41 45 41   AAADgAOAE4AAAAEA
1f0 : 41 51 41 58 41 41 41 41 41 41 41 41 41 43 51 41   AQAXAAAAAAAAACQA
200 : 41 41 41 42 59 4B 41 67 48 49 41 64 41 42 74 41   AAABYKAgHIAdABtA
210 : 43 34 41 59 77 42 76 41 47 30 41 5A 77 42 7A 41   C4AYwBvAG0AZwBzA
220 : 48 51 41 5A 51 42 6C 41 48 49 41 5A 51 42 4D 41   HQAZQBlAHIAZQBMA
230 : 46 41 41 41 74 69 31 78 6F 52 78 4F 7A 75 6D 44   FAAAti1xoRxOzumD
240 : 71 65 59 2B 69 75 71 75 32 72 45 59 68 46 61 43   qeY+iuqu2rEYhFaC
250 : 2F 4D 34 52 52 38 78 73 36 50 37 76 6A 51 70 6F   /M4RR8xs6P7vjQpo
260 : 65 43 4F 65 50 71 48 2F 32 6C 6C 41 59 36 53 63   eCOePqH/2llAY6Sc
270 : 52 61 36 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E   Ra6..Content-Len
280 : 67 74 68 3A 20 38 32 37 0D 0A 0D 0A               gth: 827....

Any ideas?
Mike

-----Original Message-----
From: Dell, Jeffrey [mailto:JDell at ...155...]
Sent: Tuesday, October 23, 2001 12:18 PM
To: 'Cessna, Michael'; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] Pass rules for Exchange 2000 OWA


Michael,
 
It is probably the rules order.. Make sure you have a "-o" arg when running
snort. This will change the rules order to pass->alert->log.
 
Jeff

-----Original Message-----
From: Cessna, Michael [mailto:MCessna at ...153...]
Sent: Tuesday, October 23, 2001 11:46 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Pass rules for Exchange 2000 OWA



Hello all, 
I am trying to write a pass rule for Exchange 2000 Outlook Web Access. The
problem is that the OWA connections keep tripping the web dav rules in the
web-misc rules files. I would like to keep the alerts active but pass the
OWA connections.

The Webdav rule that keeps tripping is: 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access"; flags: A+; content: "SEARCH "; depth: 8;
nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070; rev:1;)

I tried to use the following pass rule to ignore the OWA connections: 
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA connection"; flags: A+; content: "SEARCH /exchange";
depth: 8; nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070;
rev:1;)

This is a copy of the webdav rule except that I added the /exchange to the
content match. I just can't seem to see what I am doing wrong. Maybe I am
just on crack today :)

Any help would be greatly appreciated, 

Michael Cessna 
Network Engineer 
RealTime Media 
308 Lancaster Ave. 
Wynnewood, PA 19096 
p.610-896-9400 x308 
f.610-896-9416 
mcessna at ...153... 
www.realtimemedia.com 
www.rtm.com 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20011023/c10af765/attachment.html>


More information about the Snort-sigs mailing list