[Snort-sigs] SMTP MS Windows Mail UNC navigation remote command execution rule #11837

Chris Stevens chrisstevens at ...592...
Sun Jul 4 22:08:49 EDT 2010


Hi,

I'm trying to minimise false positives on our primary snort IDS - this is
one of the alerts which seems to trigger quite often. The archives show me
the same question was asked in 2007 with no answer.

Sample packet:

ww.quivamail.com/go/?434C4A415E575F43435544534B4D5B4841
[2 non-ASCII characters]
Report Abuse: abuse at ...3506...
[2 non-ASCII characters]
--------=_NextPart_000_0030_01.1277703939358
[2 non-ASCII characters]
Content-Type: text/html;
[3 non-ASCII characters]
charset="iso-8859-1"
[2 non-ASCII characters]
Content-Transfer-Encoding: 8bit
[4 non-ASCII characters]
<zoostart />
[2 non-ASCII characters]
<html><head><meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type"><title></title></head><body><meta
http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><meta
name="ProgId" content="Word.Document"><meta name="Generator"
content="Microsoft Word 11"><meta name="Originator" content="Microsoft Word
11"><link rel="File-List"
href="file:///C:%5CDOCUME%7E1%5CJBRESO%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_filelist.xml"><link
rel="Edit-Time-Data"
[2 non-ASCII characters]
href="file:///C:%5CDOCUME%7E1%5CJBRESO%7E1%5CLOCALS%7E1%5CTemp%5Cmsohtml1%5C01%5Cclip_editdata.mso"><!--[if
!mso]><style> v\:* {behavior:url(#default#VML);} o\:*
{behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape
{behavior:url(#default#VML);} </style><![


This alert is triggered by (after finding Content-Type: text/html)

pcre:"/.*<[^>]*href[^>]*(file\x3A|[cC]\x3A|\\\\).*>/";

Which would indicate to me that a link to any local file will fire the
alert. What have others done with this rule?

Cheers,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100705/cb95985c/attachment.html>


More information about the Snort-sigs mailing list