[Snort-sigs] [Emerging-Sigs] Offered new rule for detect last Outlook/Crypto API...
wmetcalf at ...3525...
Tue Nov 12 18:14:06 EST 2013
Thanks will get this into QA.
On Tue, Nov 12, 2013 at 5:49 PM, rmkml <rmkml at ...174...> wrote:
> ok first, I have developped this rule during my new project:
> Thx Nruns company for recently released an old design bug in Microsoft
> Outlook/Crypto API X.509:
> Please found a "specific" rule release for detecting this:
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP
> SPECIFIC Microsoft Outlook/Crypto API X.509 design bug allow blind HTTP
> requests attempt";
> flow:to_server,established; content:"multipart/signed|3B|"; nocase;
> content:"application/pkcs7-signature|3B|"; nocase; distance:0;
> reference:cve,2013-3870; reference:url,www.microsoft.
> com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/
> blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin;
> sid:95420; rev:1;)
> Maybe this rule or others will be improved in future (using file_data for
> decoding base64, checking x509 certificate 184.108.40.206..., checking UA
> CryptoAPI outgoing proxy...).
> Don't remember checking snort variables like $SMTP_SERVERS...
> All comments are welcome.
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs