[Snort-sigs] Rule 13573 question

Alex Kirk akirk at ...435...
Wed Oct 5 11:55:36 EDT 2011


No, you don't run Outlook on port 80...but Outlook gets called when you
click a "mailto:" link out of an HTML document over port 80, and that's why
the rule is written like it is.

As for that URL triggering it - the rule was written with HTML tags in mind,
and the data that trips it looks like JSON. I've got an idea of how to fix
up the rule, we'll open up an internal bug to verify my idea before sending
it out.

On Wed, Oct 5, 2011 at 10:30 AM, Lay, James <james.lay at ...3513...>wrote:

> Rule:****
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> Microsoft Outlook arbitrary command line attempt ";
> flow:from_server,established; content:"mailto|3A|"; nocase;
> pcre:"/mailto\x3a[^>]*\?[^>]*(\x22|%22)(\x2c|%2c)/smi";
> reference:cve,2008-0110; reference:url,
> www.microsoft.com/technet/security/bulletin/MS08-015.mspx;
> classtype:misc-attack; sid:13573; rev:4;)****
>
> ** **
>
> In looking at the MS bulletin, this is an Outlook client issue yes?  Do
> people run Outlook over port 80?  Anyways, the below link will fire this one
> off.****
>
> ** **
>
> http://static.meteorsolutions.com/metsol.js****
>
> ** **
>
> James****
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111005/544d8a37/attachment.html>


More information about the Snort-sigs mailing list