[Snort-sigs] FP with webmails

Chich Thierry thierry.chich at ...2579...
Wed May 17 04:17:01 EDT 2006


The rules 100000118 and 100000119 are producing FP with webmails. Since
Content-Type and  Content-Encoding are MIME field also used in the contents of 
the mails, these rules can't avoid to react when the mail you are reading 
contains such a MIME field.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY 
WEB-CLIENT Internet Explorer URLMON.DLL Content-Type Overflow Attempt"; 
flow:to_client,established; content:"Content-Type|3A|"; nocase; 
pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; 
reference:bugtraq,7419; reference:cve,2003-0113; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; 
sid:100000118; rev:2;)


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY 
WEB-CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt"; 
flow:to_client,established; content:"Content-Encoding|3A|"; nocase; 
pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; classtype:attempted-admin; 
reference:bugtraq,7419; reference:cve,2003-0113; 
reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; 
sid:100000119; rev:2;)






More information about the Snort-sigs mailing list