[Snort-sigs] Offered new rule for detect last Outlook/Crypto API...

rmkml rmkml at ...174...
Wed Nov 13 11:02:51 EST 2013


ok please check a new version: (but not for Suricata20b1, sorry)

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP SPECIFIC Microsoft Outlook/Crypto API X.509 oid 
id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; 
content:"application/pkcs7-signature|3B|"; nocase;
file_data; content:"|06 08 2B 06 01 05 05 07 01 01|"; distance:0; content:"http://"; within:50; distance:0; pcre:"/^[^\/]*?\:\d+\//R";
reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; 
reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; 
classtype:attempted-admin; sid:95420; rev:2;)

Created during my new project http://etplc.org

Regards
@Rmkml


On Wed, 13 Nov 2013, rmkml wrote:

> Hi,
>
> ok first, I have developped this rule during my new project: http://etplc.org
>
> Thx Nruns company for recently released an old design bug in Microsoft 
> Outlook/Crypto API X.509:
>
> http://blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex/
> http://seclists.org/fulldisclosure/2013/Nov/84
>
> Please found a "specific" rule release for detecting this:
>
> alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $SMTP_PORTS (msg:"SMTP SPECIFIC 
> Microsoft Outlook/Crypto API X.509 design bug allow blind HTTP requests 
> attempt";
> flow:to_server,established; content:"multipart/signed|3B|"; nocase; 
> content:"application/pkcs7-signature|3B|"; nocase; distance:0; 
> content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; 
> distance:0;
> reference:cve,2013-3870; 
> reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; 
> reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; 
> classtype:attempted-admin; sid:95420; rev:1;)
>
> Maybe this rule or others will be improved in future (using file_data for 
> decoding base64, checking x509 certificate 1.1.1.1..., checking UA CryptoAPI 
> outgoing proxy...).
>
> Don't remember checking snort variables like $SMTP_SERVERS...
>
> All comments are welcome.
>
> Regards
> @Rmkml
>




More information about the Snort-sigs mailing list