[Snort-sigs] Offered new rule for detect last Outlook/Crypto API...

rmkml rmkml at ...174...
Tue Nov 12 18:49:27 EST 2013


Hi,

ok first, I have developped this rule during my new project: http://etplc.org

Thx Nruns company for recently released an old design bug in Microsoft Outlook/Crypto API X.509:

http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex/
http://seclists.org/fulldisclosure/2013/Nov/84

Please found a "specific" rule release for detecting this:

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP SPECIFIC Microsoft Outlook/Crypto API X.509 design bug allow blind HTTP requests attempt";
flow:to_server,established; content:"multipart/signed|3B|"; nocase; 
content:"application/pkcs7-signature|3B|"; nocase; distance:0; 
content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0;
reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; 
reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; 
classtype:attempted-admin; sid:95420; rev:1;)

Maybe this rule or others will be improved in future (using file_data for decoding base64, checking x509 certificate 1.1.1.1..., checking UA CryptoAPI outgoing proxy...).

Don't remember checking snort variables like $SMTP_SERVERS...

All comments are welcome.

Regards
@Rmkml




More information about the Snort-sigs mailing list