[Mimedefang] OT:sa rule to catch ie exploit
Lucas Albers
admin at cs.montana.edu
Thu Jan 22 17:39:31 EST 2004
Rule to detect IE exploit.
Your mileage may vary.
Will match these exploits:
Replace ttp with http (so it will slip by my scanner and mcafee.)
ttp://www.trusted_site.com%01%00@malicious_site.com/malicious.html
ttp://www.trusted_site.com%01@malicious_site.com/malicious.html
ttp://www.trusted_site.com%00@malicious_site.com/malicious.html
ttp://www.trusted.com%00@www.malicious.com
ttp://www.malicious.com%C0%80@www.trusted.com/
Attached is the sa local.cf rule to do this.
I recommend you leave it at the default level and see what you catch
before raising the score.
uri IE_ADDRESS_SPOOF_EXPLOIT /^https?\:\/\/[^\/\s].*%0[1|0]@/
describe IE_ADDRESS_SPOOF_EXPLOIT Message contains IE address spoof
score IE_ADDRESS_SPOOF_EXPLOIT .01
You can see the regexp match by putting these items in a file and running
this from the command line against a file:
perl -ne 'print if s/(https?\:\/\/[^\/\s].*%0[1|0]@)/$1/' /tmp/test.txt
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
More information about the MIMEDefang
mailing list