[Snort-sigs] SMTP rcpt to sed command attempt
mkettler at ...1208...
Tue May 27 12:07:11 EDT 2003
At 11:24 PM 5/24/2003 -0400, Tony Lill wrote:
>alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed
>command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase;
>content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1;
>classtype:attempted-admin; sid:663; rev:6;)
>As written, this rule will trigger on any mail message that contains
>an | followed by "sed " anywhere in the message. I take it that
>distance:0 is meant to order the strings. Perhaps you should add some
>within clauses to reign it in.
Agreed. That rule is really silly at this point but it might be difficult
to do this correctly just using "within" modifiers.. For example it could
be modified to be:
content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed ";
distance:0; within 20; reference:bugtraq,1;
Of course, the upper cap of 20 creates some false negative cases, as they
can just do:
to avoid it.
I suppose you could make both strings "within 255".. but that's not very
helpful against false positives..
It's almost like snort needs a "before_linebreak" option so that we can
look for groups of strings all on the same line. This would make a LOT of
smtp rules significantly more correct and less false positive prone. Of
course, before_linebreak would have to terminate on 0d or 0a since some
broken mailers don't correctly use 0d 0a like they should and only send one
or the other.
line_length might be another useful rule option for overflow checks in pop,
smtp, etc. It would be better than the current trick which is:
content: !"|0a|"; within: 500
Which gets FPs from misconfigured mailers.
More information about the Snort-sigs