[Snort-sigs] FP in 1233 and 2435: possible general prob. w. content checks for filename?

Brian bmc at ...95...
Wed Apr 6 10:44:18 EDT 2005


On Fri, Mar 11, 2005 at 03:01:15PM -0800, James Affeld wrote:
<rulesnip>
> from_client,established; uricontent:".eml";
</rulesnip>

> 1233
> GET /i.p.emlips.gif HTTP/1.1..
> 
> So could we generalize and say any HTTP rules that
> check file extensions should check for a trailing
> space? ".eml " rather than ".eml" Would a webserver
> correctly parse GET /problem.emlHTTP/1.1  ? 

The URI ends at the first space.  As such, looking for space at the
end of the url content would invalidate the rule in the "bad" case.

> Also - are we worried about web clients accessing .eml
> /.emf on web servers?  Seems to me that the attacks
> are flowing from hostile websites to hapless browsers
> and we should be looking at flow:to_client instead.  

Incorrect.  We are concerned with people downloading .eml files from
websites.  The only accurate way of detecting this bad action is to
look for the .eml file extension in the URL.  Perhaps you might want
to try adding this to your rule:

    pcre:"/.eml(\b|$)/U";

Note, this has not been tested AT ALL.  Use at your own risk!

Brian




More information about the Snort-sigs mailing list