[Snort-users] RE: [Snort-sigs] SMTP From Comment Overflow rule problems

Ron Shuck rshuck at ...6736...
Fri Apr 11 05:57:24 EDT 2003


I agree. I plan to change my rule, but it still looks like the distance
options may not be working, at least not as I expect.

Ron Shuck, CISSP - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org 


-----Original Message-----
From: Jacob Hurley [mailto:jacobh at ...8845...] 
Sent: Friday, April 11, 2003 1:53 AM
To: Ron Shuck; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] SMTP From Comment Overflow rule problems


	Yes, I have been wondering the exact same thing.  I have seen
many trigger on email very similar to yours being caught.  What would be
the harm of changing this:

content:"From\:";
content:"<><><><><><><><><><><><><><><><><><><><><><>";

to something like:

content:"From\:<><><><><><><><><><><><><><><><><><><><><><>";





Jacob Hurley
Network Operations Center
Alexander Open Systems

-----Original Message-----
From: Ron Shuck [mailto:rshuck at ...6736...] 
Sent: Monday, April 07, 2003 2:46 PM
To: snort-users at lists.sourceforge.net; snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] SMTP From Comment Overflow rule problems

Hi,

I have been getting several alerts for SID 2087 that appear false to me.
The way I read the sig is it should trigger on:

From:<><><><><><><><><><><><><><><><><><><><><><>@(@)

Where '@' could be any character.

However, none of the alerts match the content criteria. It looks like
the distance keyword is not working. Has anyone else run across this or
am I misunderstanding the signature.

----- rule -----
SID: 2087
Message: SMTP From comment overflow 
Signature:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment
overflow attempt"; flow:to_server,established; content:"From\:";
content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0;
content:"("; distance:1; content:")"; distance:1;
reference:cve,CAN-2002-1337;
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin;
sid:2087; rev:2;) 

----- payload from ACID -----
 length = 1368

000 : 52 65 63 65 69 76 65 64 3A 20 28 66 72 6F 6D 20   Received: (from 
010 : 64 61 65 6D 6F 6E 40 6C 6F 63 61 6C 68 6F 73 74   daemon at ...274...
020 : 29 0D 0A 09 62 79 20 6D 61 69 6C 32 2E 67 6C 6F   )...by mail2.glo
030 : 62 61 6C 70 6D 6E 65 74 2E 63 6F 6D 20 28 38 2E   balpmnet.com (8.
040 : 38 2E 38 2F 38 2E 38 2E 38 29 20 69 64 20 53 41   8.8/8.8.8) id SA
050 : 41 36 31 35 36 34 3B 0D 0A 09 53 75 6E 2C 20 36   A61564;...Sun, 6
060 : 20 41 70 72 20 32 30 30 33 20 31 38 3A 32 38 3A    Apr 2003 18:28:
070 : 32 33 20 2D 30 34 30 30 20 28 45 44 54 29 0D 0A   23 -0400 (EDT)..
080 : 44 61 74 65 3A 20 53 75 6E 2C 20 36 20 41 70 72   Date: Sun, 6 Apr
090 : 20 32 30 30 33 20 31 38 3A 32 38 3A 32 33 20 2D    2003 18:28:23 -
0a0 : 30 34 30 30 20 28 45 44 54 29 0D 0A 4D 65 73 73   0400 (EDT)..Mess
0b0 : 61 67 65 2D 49 64 3A 20 3C 32 30 30 33 30 34 30   age-Id: <2003040
0c0 : 36 32 32 32 38 2E 53 41 41 36 31 35 36 34 40 6D   62228.SAA61564 at ...4624...
0d0 : 61 69 6C 32 2E 67 6C 6F 62 61 6C 70 6D 6E 65 74   ail2.globalpmnet
0e0 : 2E 63 6F 6D 3E 0D 0A 46 72 6F 6D 3A 20 48 65 61   .com>..From: Hea
0f0 : 72 74 62 75 72 6E 20 48 65 6C 70 20 3C 79 6C 70   rtburn Help <ylp
100 : 6F 69 6E 74 40 6D 61 69 6C 32 2E 67 6C 6F 62 61   oint at ...8811...
110 : 6C 70 6D 6E 65 74 2E 63 6F 6D 3E 0D 0A 54 6F 3A   lpmnet.com>..To:
120 : 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    XXXXXXXXXXXXXXX
130 : 00 00 00 00 00 00 00 00 0D 0A 53 75 62 6A 65 63   XXXXXXXX..Subjec
140 : 74 3A 20 44 6F 20 79 6F 75 20 68 61 76 65 20 68   t: Do you have h
150 : 65 61 72 74 62 75 72 6E 3F 20 0D 0A 4D 49 4D 45   eartburn? ..MIME
160 : 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D 0A 43   -Version: 1.0..C
170 : 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 6D 75 6C   ontent-Type: mul
180 : 74 69 70 61 72 74 2F 61 6C 74 65 72 6E 61 74 69   tipart/alternati
190 : 76 65 3B 20 62 6F 75 6E 64 61 72 79 3D 22 4D 49   ve; boundary="MI
1a0 : 4D 45 5F 42 4F 55 4E 44 41 52 59 2D 31 36 37 36   ME_BOUNDARY-1676
1b0 : 30 2D 30 2D 31 30 34 39 36 37 37 32 30 32 22 0D   0-0-1049677202".
1c0 : 0A 0D 0A 2D 2D 4D 49 4D 45 5F 42 4F 55 4E 44 41   ...--MIME_BOUNDA
1d0 : 52 59 2D 31 36 37 36 30 2D 30 2D 31 30 34 39 36   RY-16760-0-10496
1e0 : 37 37 32 30 32 0D 0A 43 6F 6E 74 65 6E 74 2D 54   77202..Content-T
1f0 : 79 70 65 3A 20 74 65 78 74 2F 70 6C 61 69 6E 3B   ype: text/plain;
200 : 20 63 68 61 72 73 65 74 3D 22 69 73 6F 2D 38 38    charset="iso-88
210 : 35 39 2D 31 22 0D 0A 43 6F 6E 74 65 6E 74 2D 44   59-1"..Content-D
220 : 69 73 70 6F 73 69 74 69 6F 6E 3A 20 69 6E 6C 69   isposition: inli
230 : 6E 65 0D 0A 0D 0A 44 6F 20 79 6F 75 20 68 61 76   ne....Do you hav
240 : 65 20 68 65 61 72 74 62 75 72 6E 3F 20 20 43 6C   e heartburn?  Cl
250 : 69 63 6B 20 68 65 72 65 20 66 6F 72 20 66 72 65   ick here for fre
260 : 65 20 73 61 6D 70 6C 65 73 20 61 6E 64 20 69 6E   e samples and in
270 : 66 6F 72 6D 61 74 69 6F 6E 21 0D 0A 0D 0A 68 74   formation!....ht
280 : 74 70 3A 2F 2F 6D 61 69 6C 32 2E 67 6C 6F 62 61   tp://mail2.globa
290 : 6C 70 6D 6E 65 74 2E 63 6F 6D 2F 6D 2F 6C 3F 31   lpmnet.com/m/l?1
2a0 : 39 37 2D 34 62 6D 74 2D 32 2D 31 6F 6E 79 2D 37   97-4bmt-2-1ony-7
2b0 : 6C 31 6F 68 0D 0A 0D 0A 20 41 4F 4C 20 75 73 65   l1oh.... AOL use
2c0 : 72 73 20 67 6F 20 68 65 72 65 0D 0A 3C 20 68 74   rs go here..< ht
2d0 : 74 70 3A 2F 2F 6D 61 69 6C 32 2E 67 6C 6F 62 61   tp://mail2.globa
2e0 : 6C 70 6D 6E 65 74 2E 63 6F 6D 2F 6D 2F 6C 3F 31   lpmnet.com/m/l?1
2f0 : 39 37 2D 34 62 6D 74 2D 33 2D 31 6F 6E 79 2D 37   97-4bmt-3-1ony-7
300 : 6C 31 6F 68 20 3E 0D 0A 0D 0A 3C 3E 3C 3E 3C 3E   l1oh >....<><><>
310 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   <><><><><><><><>
320 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   <><><><><><><><>
330 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   <><><><><><><><>
340 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E   <><><><><><><><>
350 : 0D 0A 59 6F 75 20 72 65 63 65 69 76 65 64 20 74   ..You received t
360 : 68 69 73 20 65 6D 61 69 6C 20 62 65 63 61 75 73   his email becaus
370 : 65 20 79 6F 75 20 73 69 67 6E 65 64 20 75 70 20   e you signed up 
380 : 74 6F 20 72 65 63 65 69 76 65 20 6F 66 66 65 72   to receive offer
390 : 73 20 66 72 6F 6D 0D 0A 47 6C 6F 62 61 6C 50 6F   s from..GlobalPo
3a0 : 69 6E 74 20 4D 65 64 69 61 2C 20 4C 4C 43 2E 20   int Media, LLC. 
3b0 : 61 6E 64 20 69 74 73 20 6D 61 72 6B 65 74 69 6E   and its marketin
3c0 : 67 20 70 61 72 74 6E 65 72 73 2E 20 54 6F 20 75   g partners. To u
3d0 : 6E 73 75 62 73 63 72 69 62 65 2C 20 0D 0A 70 6C   nsubscribe, ..pl
3e0 : 65 61 73 65 20 66 6F 6C 6C 6F 77 20 74 68 65 20   ease follow the 
3f0 : 75 6E 73 75 62 73 63 72 69 62 65 20 28 6F 70 74   unsubscribe (opt
400 : 2D 6F 75 74 29 20 70 72 6F 63 65 64 75 72 65 73   -out) procedures
410 : 20 63 6F 6E 74 61 69 6E 65 64 20 62 65 6C 6F 77    contained below
420 : 2E 20 20 0D 0A 54 68 65 20 70 72 6F 64 75 63 74   .  ..The product
430 : 73 20 61 6E 64 2F 6F 72 20 73 65 72 76 69 63 65   s and/or service
440 : 73 20 61 64 76 65 72 74 69 73 65 64 20 69 6E 20   s advertised in 
450 : 74 68 69 73 20 65 6D 61 69 6C 20 61 72 65 20 74   this email are t
460 : 68 65 20 73 6F 6C 65 20 0D 0A 72 65 73 70 6F 6E   he sole ..respon
470 : 73 69 62 69 6C 69 74 79 20 6F 66 20 74 68 65 20   sibility of the 
480 : 61 64 76 65 72 74 69 73 65 72 2C 20 61 6E 64 20   advertiser, and 
490 : 71 75 65 73 74 69 6F 6E 73 20 61 62 6F 75 74 20   questions about 
4a0 : 74 68 69 73 20 6F 66 66 65 72 20 73 68 6F 75 6C   this offer shoul
4b0 : 64 20 0D 0A 62 65 20 64 69 72 65 63 74 65 64 20   d ..be directed 
4c0 : 74 6F 20 74 68 65 20 61 64 76 65 72 74 69 73 65   to the advertise
4d0 : 72 2E 20 20 47 6C 6F 62 61 6C 50 6F 69 6E 74 20   r.  GlobalPoint 
4e0 : 4D 65 64 69 61 2C 20 4C 4C 43 2E 20 31 36 33 20   Media, LLC. 163 
4f0 : 41 6D 73 74 65 72 64 61 6D 20 0D 0A 41 76 65 6E   Amsterdam ..Aven
500 : 75 65 2C 20 23 31 32 37 2C 20 4E 65 77 20 59 6F   ue, #127, New Yo
510 : 72 6B 2C 20 4E 59 20 31 30 30 32 33 2E 0D 0A 3C   rk, NY 10023...<
520 : 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C   ><><><><><><><><
530 : 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C   ><><><><><><><><
540 : 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C   ><><><><><><><><
550 : 3E 3C 3E 3C 3E 3C 3E 3C                           ><><><><

TIA,

Ron Shuck, CISSP - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3099 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030411/803edded/attachment.bin>


More information about the Snort-users mailing list