[Snort-sigs] Rule thoughts

James Lay jlay at ...3266...
Thu Sep 6 18:06:58 EDT 2012


On 2012-09-06 13:08, James Lay wrote:
> Hey all,
>
> So...been keeping my eye on:
>
> http://seclists.org/bugtraq/2012/Sep/29
>
> and was interested in this portion to have Snort look at:
>
>    @font-face
>    {
>      font-family: "MyFont";
>      src: url(mailto:xxx<... approximately 2,020 characters removed
> ...>xxx);
>    }
>
> My thought was to do something like:
>
> content: "mailto:<"; content: ">"; within: 1500;
>
> or would offset be more appropriate?  Any pointers would help...thank
> you.
>
> James

So ok...here's what I got (admit it...you saw this coming ;)).  Thanks 
to Joel, Nathan, and Rmkml for the HUGE help.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT 
Unusually long mailto, possibly malicious"; flow:to_server, established; 
content:"mailto:<"; isdataat:200,relative; content:!">"; within:200; 
content:!"|0A|"; within:200; classtype:bad-unknown; sid:10000022; 
reference:url,http://seclists.org/bugtraq/2012/Sep/29; rev:1;)

This could possibly be extended to port 25 as well to determine initial 
point of entry.  I don't really have a pcap of this to test (booooo) but 
so far no hits in a live environment...I honestly don't really ever 
expect to see this ever hit, but eh...who knows.  The vuln that brought 
this about is already patched with MS012-052, so this may have just been 
an exercise in learning and not much else.  Thanks all!

James




More information about the Snort-sigs mailing list