[Snort-sigs] Offered new rule for detect last Outlook/Crypto API...
rmkml at ...174...
Tue Nov 12 18:49:27 EST 2013
ok first, I have developped this rule during my new project: http://etplc.org
Thx Nruns company for recently released an old design bug in Microsoft Outlook/Crypto API X.509:
Please found a "specific" rule release for detecting this:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP SPECIFIC Microsoft Outlook/Crypto API X.509 design bug allow blind HTTP requests attempt";
flow:to_server,established; content:"multipart/signed|3B|"; nocase;
content:"application/pkcs7-signature|3B|"; nocase; distance:0;
classtype:attempted-admin; sid:95420; rev:1;)
Maybe this rule or others will be improved in future (using file_data for decoding base64, checking x509 certificate 126.96.36.199..., checking UA CryptoAPI outgoing proxy...).
Don't remember checking snort variables like $SMTP_SERVERS...
All comments are welcome.
More information about the Snort-sigs