NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2003-04

[Snort-users] RE: [Snort-sigs] SMTP From Comment Overflow rule problems

From: Ron Shuck (rshuckBuchanan.com)
Date: Fri Apr 11 2003 - 07:56:02 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I agree. I plan to change my rule, but it still looks like the distance
options may not be working, at least not as I expect.

Ron Shuck, CISSP - Managing Consultant
Buchanan Associates - A Technology Company in the People Business
http://www.buchanan.com
http://www.isc2.org

-----Original Message-----
From: Jacob Hurley [mailto:jacobhaos5.com]
Sent: Friday, April 11, 2003 1:53 AM
To: Ron Shuck; snort-sigslists.sourceforge.net
Subject: RE: [Snort-sigs] SMTP From Comment Overflow rule problems

Yes, I have been wondering the exact same thing. I have seen
many trigger on email very similar to yours being caught. What would be
the harm of changing this:

content:"From\:";
content:"<><><><><><><><><><><><><><><><><><><><><><>";

to something like:

content:"From\:<><><><><><><><><><><><><><><><><><><><><><>";

Jacob Hurley
Network Operations Center
Alexander Open Systems

-----Original Message-----
From: Ron Shuck [mailto:rshuckBuchanan.com]
Sent: Monday, April 07, 2003 2:46 PM
To: snort-userslists.sourceforge.net; snort-sigslists.sourceforge.net
Subject: [Snort-sigs] SMTP From Comment Overflow rule problems

Hi,

I have been getting several alerts for SID 2087 that appear false to me.
The way I read the sig is it should trigger on:

From:<><><><><><><><><><><><><><><><><><><><><><>()

Where '' could be any character.

However, none of the alerts match the content criteria. It looks like
the distance keyword is not working. Has anyone else run across this or
am I misunderstanding the signature.

----- rule -----
SID: 2087
Message: SMTP From comment overflow
Signature:
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment
overflow attempt"; flow:to_server,established; content:"From\:";
content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0;
content:"("; distance:1; content:")"; distance:1;
reference:cve,CAN-2002-1337;
reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin;
sid:2087; rev:2;)

----- payload from ACID -----
length = 1368

000 : 52 65 63 65 69 76 65 64 3A 20 28 66 72 6F 6D 20 Received: (from
010 : 64 61 65 6D 6F 6E 40 6C 6F 63 61 6C 68 6F 73 74 daemonlocalhost
020 : 29 0D 0A 09 62 79 20 6D 61 69 6C 32 2E 67 6C 6F )...by mail2.glo
030 : 62 61 6C 70 6D 6E 65 74 2E 63 6F 6D 20 28 38 2E balpmnet.com (8.
040 : 38 2E 38 2F 38 2E 38 2E 38 29 20 69 64 20 53 41 8.8/8.8.8) id SA
050 : 41 36 31 35 36 34 3B 0D 0A 09 53 75 6E 2C 20 36 A61564;...Sun, 6
060 : 20 41 70 72 20 32 30 30 33 20 31 38 3A 32 38 3A Apr 2003 18:28:
070 : 32 33 20 2D 30 34 30 30 20 28 45 44 54 29 0D 0A 23 -0400 (EDT)..
080 : 44 61 74 65 3A 20 53 75 6E 2C 20 36 20 41 70 72 Date: Sun, 6 Apr
090 : 20 32 30 30 33 20 31 38 3A 32 38 3A 32 33 20 2D 2003 18:28:23 -
0a0 : 30 34 30 30 20 28 45 44 54 29 0D 0A 4D 65 73 73 0400 (EDT)..Mess
0b0 : 61 67 65 2D 49 64 3A 20 3C 32 30 30 33 30 34 30 age-Id: <2003040
0c0 : 36 32 32 32 38 2E 53 41 41 36 31 35 36 34 40 6D 62228.SAA61564m
0d0 : 61 69 6C 32 2E 67 6C 6F 62 61 6C 70 6D 6E 65 74 ail2.globalpmnet
0e0 : 2E 63 6F 6D 3E 0D 0A 46 72 6F 6D 3A 20 48 65 61 .com>..From: Hea
0f0 : 72 74 62 75 72 6E 20 48 65 6C 70 20 3C 79 6C 70 rtburn Help <ylp
100 : 6F 69 6E 74 40 6D 61 69 6C 32 2E 67 6C 6F 62 61 ointmail2.globa
110 : 6C 70 6D 6E 65 74 2E 63 6F 6D 3E 0D 0A 54 6F 3A lpmnet.com>..To:
120 : 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 XXXXXXXXXXXXXXX
130 : 00 00 00 00 00 00 00 00 0D 0A 53 75 62 6A 65 63 XXXXXXXX..Subjec
140 : 74 3A 20 44 6F 20 79 6F 75 20 68 61 76 65 20 68 t: Do you have h
150 : 65 61 72 74 62 75 72 6E 3F 20 0D 0A 4D 49 4D 45 eartburn? ..MIME
160 : 2D 56 65 72 73 69 6F 6E 3A 20 31 2E 30 0D 0A 43 -Version: 1.0..C
170 : 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 6D 75 6C ontent-Type: mul
180 : 74 69 70 61 72 74 2F 61 6C 74 65 72 6E 61 74 69 tipart/alternati
190 : 76 65 3B 20 62 6F 75 6E 64 61 72 79 3D 22 4D 49 ve; boundary="MI
1a0 : 4D 45 5F 42 4F 55 4E 44 41 52 59 2D 31 36 37 36 ME_BOUNDARY-1676
1b0 : 30 2D 30 2D 31 30 34 39 36 37 37 32 30 32 22 0D 0-0-1049677202".
1c0 : 0A 0D 0A 2D 2D 4D 49 4D 45 5F 42 4F 55 4E 44 41 ...--MIME_BOUNDA
1d0 : 52 59 2D 31 36 37 36 30 2D 30 2D 31 30 34 39 36 RY-16760-0-10496
1e0 : 37 37 32 30 32 0D 0A 43 6F 6E 74 65 6E 74 2D 54 77202..Content-T
1f0 : 79 70 65 3A 20 74 65 78 74 2F 70 6C 61 69 6E 3B ype: text/plain;
200 : 20 63 68 61 72 73 65 74 3D 22 69 73 6F 2D 38 38 charset="iso-88
210 : 35 39 2D 31 22 0D 0A 43 6F 6E 74 65 6E 74 2D 44 59-1"..Content-D
220 : 69 73 70 6F 73 69 74 69 6F 6E 3A 20 69 6E 6C 69 isposition: inli
230 : 6E 65 0D 0A 0D 0A 44 6F 20 79 6F 75 20 68 61 76 ne....Do you hav
240 : 65 20 68 65 61 72 74 62 75 72 6E 3F 20 20 43 6C e heartburn? Cl
250 : 69 63 6B 20 68 65 72 65 20 66 6F 72 20 66 72 65 ick here for fre
260 : 65 20 73 61 6D 70 6C 65 73 20 61 6E 64 20 69 6E e samples and in
270 : 66 6F 72 6D 61 74 69 6F 6E 21 0D 0A 0D 0A 68 74 formation!....ht
280 : 74 70 3A 2F 2F 6D 61 69 6C 32 2E 67 6C 6F 62 61 tp://mail2.globa
290 : 6C 70 6D 6E 65 74 2E 63 6F 6D 2F 6D 2F 6C 3F 31 lpmnet.com/m/l?1
2a0 : 39 37 2D 34 62 6D 74 2D 32 2D 31 6F 6E 79 2D 37 97-4bmt-2-1ony-7
2b0 : 6C 31 6F 68 0D 0A 0D 0A 20 41 4F 4C 20 75 73 65 l1oh.... AOL use
2c0 : 72 73 20 67 6F 20 68 65 72 65 0D 0A 3C 20 68 74 rs go here..< ht
2d0 : 74 70 3A 2F 2F 6D 61 69 6C 32 2E 67 6C 6F 62 61 tp://mail2.globa
2e0 : 6C 70 6D 6E 65 74 2E 63 6F 6D 2F 6D 2F 6C 3F 31 lpmnet.com/m/l?1
2f0 : 39 37 2D 34 62 6D 74 2D 33 2D 31 6F 6E 79 2D 37 97-4bmt-3-1ony-7
300 : 6C 31 6F 68 20 3E 0D 0A 0D 0A 3C 3E 3C 3E 3C 3E l1oh >....<><><>
310 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E <><><><><><><><>
320 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E <><><><><><><><>
330 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E <><><><><><><><>
340 : 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E <><><><><><><><>
350 : 0D 0A 59 6F 75 20 72 65 63 65 69 76 65 64 20 74 ..You received t
360 : 68 69 73 20 65 6D 61 69 6C 20 62 65 63 61 75 73 his email becaus
370 : 65 20 79 6F 75 20 73 69 67 6E 65 64 20 75 70 20 e you signed up
380 : 74 6F 20 72 65 63 65 69 76 65 20 6F 66 66 65 72 to receive offer
390 : 73 20 66 72 6F 6D 0D 0A 47 6C 6F 62 61 6C 50 6F s from..GlobalPo
3a0 : 69 6E 74 20 4D 65 64 69 61 2C 20 4C 4C 43 2E 20 int Media, LLC.
3b0 : 61 6E 64 20 69 74 73 20 6D 61 72 6B 65 74 69 6E and its marketin
3c0 : 67 20 70 61 72 74 6E 65 72 73 2E 20 54 6F 20 75 g partners. To u
3d0 : 6E 73 75 62 73 63 72 69 62 65 2C 20 0D 0A 70 6C nsubscribe, ..pl
3e0 : 65 61 73 65 20 66 6F 6C 6C 6F 77 20 74 68 65 20 ease follow the
3f0 : 75 6E 73 75 62 73 63 72 69 62 65 20 28 6F 70 74 unsubscribe (opt
400 : 2D 6F 75 74 29 20 70 72 6F 63 65 64 75 72 65 73 -out) procedures
410 : 20 63 6F 6E 74 61 69 6E 65 64 20 62 65 6C 6F 77 contained below
420 : 2E 20 20 0D 0A 54 68 65 20 70 72 6F 64 75 63 74 . ..The product
430 : 73 20 61 6E 64 2F 6F 72 20 73 65 72 76 69 63 65 s and/or service
440 : 73 20 61 64 76 65 72 74 69 73 65 64 20 69 6E 20 s advertised in
450 : 74 68 69 73 20 65 6D 61 69 6C 20 61 72 65 20 74 this email are t
460 : 68 65 20 73 6F 6C 65 20 0D 0A 72 65 73 70 6F 6E he sole ..respon
470 : 73 69 62 69 6C 69 74 79 20 6F 66 20 74 68 65 20 sibility of the
480 : 61 64 76 65 72 74 69 73 65 72 2C 20 61 6E 64 20 advertiser, and
490 : 71 75 65 73 74 69 6F 6E 73 20 61 62 6F 75 74 20 questions about
4a0 : 74 68 69 73 20 6F 66 66 65 72 20 73 68 6F 75 6C this offer shoul
4b0 : 64 20 0D 0A 62 65 20 64 69 72 65 63 74 65 64 20 d ..be directed
4c0 : 74 6F 20 74 68 65 20 61 64 76 65 72 74 69 73 65 to the advertise
4d0 : 72 2E 20 20 47 6C 6F 62 61 6C 50 6F 69 6E 74 20 r. GlobalPoint
4e0 : 4D 65 64 69 61 2C 20 4C 4C 43 2E 20 31 36 33 20 Media, LLC. 163
4f0 : 41 6D 73 74 65 72 64 61 6D 20 0D 0A 41 76 65 6E Amsterdam ..Aven
500 : 75 65 2C 20 23 31 32 37 2C 20 4E 65 77 20 59 6F ue, #127, New Yo
510 : 72 6B 2C 20 4E 59 20 31 30 30 32 33 2E 0D 0A 3C rk, NY 10023...<
520 : 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C ><><><><><><><><
530 : 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C ><><><><><><><><
540 : 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C 3E 3C ><><><><><><><><
550 : 3E 3C 3E 3C 3E 3C 3E 3C ><><><><

TIA,

Ron Shuck, CISSP - Managing Consultant
Buchanan Associates - A Technology Company in the People Business
http://www.buchanan.com
http://www.isc2.org

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger
for complex code. Debugging C/C++ programs can leave you feeling lost and
disoriented. TotalView can help you find your way. Available on major UNIX
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

application/x-pkcs7-signature attachment: smime.p7s

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]