[Snort-sigs] [Emerging-Sigs] Offered new rule for detect last Outlook/Crypto API...

Will Metcalf wmetcalf at ...3525...
Tue Nov 12 18:14:06 EST 2013


Thanks will get this into QA.


On Tue, Nov 12, 2013 at 5:49 PM, rmkml <rmkml at ...174...> wrote:

> Hi,
>
> ok first, I have developped this rule during my new project:
> http://etplc.org
>
> Thx Nruns company for recently released an old design bug in Microsoft
> Outlook/Crypto API X.509:
>
> http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex/
> http://seclists.org/fulldisclosure/2013/Nov/84
>
> Please found a "specific" rule release for detecting this:
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP
> SPECIFIC Microsoft Outlook/Crypto API X.509 design bug allow blind HTTP
> requests attempt";
> flow:to_server,established; content:"multipart/signed|3B|"; nocase;
> content:"application/pkcs7-signature|3B|"; nocase; distance:0;
> content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|";
> distance:0;
> reference:cve,2013-3870; reference:url,www.microsoft.
> com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/
> blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin;
> sid:95420; rev:1;)
>
> Maybe this rule or others will be improved in future (using file_data for
> decoding base64, checking x509 certificate 1.1.1.1..., checking UA
> CryptoAPI outgoing proxy...).
>
> Don't remember checking snort variables like $SMTP_SERVERS...
>
> All comments are welcome.
>
> Regards
> @Rmkml
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131112/4fdfa6da/attachment.html>


More information about the Snort-sigs mailing list