Lucas, I looked at this same problem pretty heavily a few weeks ago and have a couple of comments / questions:
1st, with SA I am 99.9% certain you don't need to do the http[s] test. The URI scan system will only pass in url strings and it is theoretical that IE will completely parse a URL without the http[s] so I leave that part of the scanning to SA. 2nd, your rule won't match the 5th url below. I also don't believe the 5th URL is a valid exploit. I couldn't get it to work in IE or Mozilla. 3rd, I can't think of a legit reason to do a %00 or %01 in a url to begin with so I scored it much much higher. In conclusion, I can't find a reason not to continue using this test and thought it would be helpful to repost it for comment now that there is some interest in it. uri KAM_URIPARSE /(\%0[01]|\0).*\@/i describe KAM_URIPARSE Attempted use of URI bug. Very high probability of fraud. score KAM_URIPARSE 7.00 regards, KAM > Rule to detect IE exploit. > > Your mileage may vary. > > Will match these exploits: > Replace ttp with http (so it will slip by my scanner and mcafee.) > > ttp://[EMAIL PROTECTED]/malicious.html > ttp://[EMAIL PROTECTED]/malicious.html > ttp://[EMAIL PROTECTED]/malicious.html > ttp://[EMAIL PROTECTED] > ttp://[EMAIL PROTECTED]/ > > Attached is the sa local.cf rule to do this. > I recommend you leave it at the default level and see what you catch > before raising the score. > > uri IE_ADDRESS_SPOOF_EXPLOIT /^https?\:\/\/[^\/\s].*%0[1|0]@/ > describe IE_ADDRESS_SPOOF_EXPLOIT Message contains IE address spoof > score IE_ADDRESS_SPOOF_EXPLOIT .01 > > You can see the regexp match by putting these items in a file and running > this from the command line against a file: > > perl -ne 'print if s/(https?\:\/\/[^\/\s].*%0[1|0]@)/$1/' /tmp/test.txt _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
