[Snort-sigs] FP in 1233 and 2435: possible general prob. w. content checks for filename?

James Affeld jamesaffeld at ...144...
Fri Mar 11 15:01:35 EST 2005


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT Microsoft emf metafile access";
flow:from_client,established; uricontent:".emf";
reference:bugtraq,10120; reference:bugtraq,9707;
reference:cve,2003-0906; classtype:attempted-user;
sid:2435; rev:4;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT Outlook EML access";
flow:from_client,established; uricontent:".eml";
reference:nessus,10767; classtype:attempted-user;
sid:1233; rev:11;)

These two rules are firing on hotmail sessions when a
gif file is loaded:

2435
GET /i.p.emfemale.gif HTTP/1.1.

1233
GET /i.p.emlips.gif HTTP/1.1..

So could we generalize and say any HTTP rules that
check file extensions should check for a trailing
space? ".eml " rather than ".eml" Would a webserver
correctly parse GET /problem.emlHTTP/1.1  ? 

Also - are we worried about web clients accessing .eml
/.emf on web servers?  Seems to me that the attacks
are flowing from hostile websites to hapless browsers
and we should be looking at flow:to_client instead.  



		
__________________________________ 
Do you Yahoo!? 
Make Yahoo! your home page 
http://www.yahoo.com/r/hs




More information about the Snort-sigs mailing list