[Snort-sigs] FormMail scanners

Erik Fichtner emf at ...4...
Tue Jan 22 14:02:02 EST 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey.  

Here are some signatures that peg currently in-use versions of the formmail
scanner applications that our pink meat byproduct foes like to use these
days.    Great to have around if you have local hosts with a spam-proofed
version of formmail that sees legitimate traffic, and especially if you're 
using Hogwash.  

These pick up on certain bugs and constants that appear in the http headers
from the various apps.

The names of the particular apps are completely made up in some cases, as
I didn't really go out trying to find the actual apps themselves, so if you
know what they're *really* called, I'd love to know that.   (particularly
the second one..  I see that one a lot, but it's been mostly spotted in use
by whoever the hell sexbuggyblue at ...20... used to be. (no, it doesn't use
sexbuggyblue as a signature..)

Anyway, the sigs:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI formmail access (WebBrowserHunter type)";flags: A+; uricontent:"/formmail"; nocase; content: "email=WebBrowserHunter at ...20..."; content: "msg=scanning"; content: "|41 63 63 65 70 74 20 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 20 2D 75 73 0D 0A 41 63 63 65 70 74 20 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 20 2C 20 64 65 66 6C 61 74 65 0D 0A|"; reference:cve,CVE-1999-0172; reference:arachnids,226; classtype:attempted-recon; sid:884; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI formmail access (sexbuggyblue type)";flags: A+; uricontent:"/formmail"; nocase; content: "|55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 63 72 6F 73 6F 66 74 20 55 52 4C 20 43 6F 6E 74 72 6F 6C 20 2D 20 36 2E 30 30 2E 38 38 36 32 0D 0A 48 6F 73 74 3A 20|"; reference:cve,CVE-1999-0172; reference:arachnids,226; classtype:attempted-recon; sid:884; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI formmail access (heh type)";flags: A+; content: "POST"; content:"/formmail"; nocase; content: "|55 73 65 72 2D 41 67 65 6E 74 3A 20 47 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 35 3B 20 77 69 6E 64 6F 77 73 20 32 30 30 30 29 0D 0A 48 6F 73 74 3A 20|"; content: "|25 32 36 6D 65 73 73 61 67 65 25 33 44 68 65 68|"; reference:cve,CVE-1999-0172; reference:arachnids,226; classtype:attempted-recon; sid:884; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI formmail access (f2/w00t type)";flags: A+; content:"/formmail"; nocase; content: "|65 6D 61 69 6C 3D 66 32 40 61 6F 6C 2E 63 6F 6D|"; content: "msg=w00t"; reference:cve,CVE-1999-0172; reference:arachnids,226; classtype:attempted-recon; sid:884; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI formmail access (PlatinumScan type)";flags: A+; content:"/formmail"; nocase; content: "|65 6D 61 69 6C 3D 50 6C 61 74 69 6E 75 6D 53 63 61 6E 40 70 6C 61 74 69 6E 75 6D 73 63 61 6E 2E 63 6F 6D|"; content: "|41 63 63 65 70 74 20 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 20 2D 75 73|"; reference:cve,CVE-1999-0172; reference:arachnids,226; classtype:attempted-recon; sid:884; rev:1;)


Enjoy... until they release another version....



- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8TeEeQ7EzrewLMS0RApwXAJ9hMOADXAYWNA2+iVMD+2ry3F6WTgCgtMBi
0/kVylqD2pmk9I7nlwirKEs=
=cCqe
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list