[Snort-sigs] SMTP rcpt to sed command attempt

Matt Kettler mkettler at ...1208...
Tue May 27 12:07:11 EDT 2003

At 11:24 PM 5/24/2003 -0400, Tony Lill wrote:
>alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to sed 
>command attempt"; flow:to_server,established; content:"rcpt to\:"; nocase; 
>content:"\|"; distance:0; content:"sed "; distance:0; reference:bugtraq,1; 
>reference:arachnids,172; reference:cve,CVE-1999-0095; 
>classtype:attempted-admin; sid:663; rev:6;)
>As written, this rule will trigger on any mail message that contains
>an | followed by "sed " anywhere in the message. I take it that
>distance:0 is meant to order the strings. Perhaps you should add some
>within clauses to reign it in.

Agreed. That rule is really silly at this point but it might be difficult 
to do this correctly just using "within" modifiers.. For example it could 
be modified to be:

content:"rcpt to\:"; nocase; content:"\|"; distance:0; content:"sed "; 
distance:0; within 20; reference:bugtraq,1;

Of course, the upper cap of 20 creates some false negative cases, as they 
can just do:


to avoid it.

I suppose you could make both strings "within 255"..  but that's not very 
helpful against false positives..

It's almost like snort needs a "before_linebreak" option so that we can 
look for groups of strings all on the same line. This would make a LOT of 
smtp rules significantly more correct and less false positive prone. Of 
course, before_linebreak would have to terminate on 0d or 0a since some 
broken mailers don't correctly use 0d 0a like they should and only send one 
or the other.

line_length might be another useful rule option for overflow checks in pop, 
smtp, etc. It would be better than the current trick which is:
content: !"|0a|"; within: 500

Which gets FPs from misconfigured mailers.

More information about the Snort-sigs mailing list