Re: HELP ON POP3 FALSE ATTACHMENT SIGNATURE
From: Srinivasa Rao Addepalli (srao_at_intotoinc.com)
Date: 06/18/03
- Previous message: David Markle: "RE: Views and Correlation in Intrusion Detection"
- In reply to: Aravinda T: "HELP ON POP3 FALSE ATTACHMENT SIGNATURE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <aravindat@internettrends.co.in>, <focus-ids@securityfocus.com> Date: Tue, 17 Jun 2003 20:39:39 -0700
Hi Aravind,
You need to give more information. But based on your
description, I feel you should look at MIME header in the
email body. In anycase, it is better to build POP3 protocol
intelligence to figure out 'envelope' header and email data
message. Then you can do content search on part of
envelop OR part of MIME header field.
Doing content search on the packets might give you
false negative and false positives.
Srini
Intoto Inc.
Enabling Security Infrastructure
3160, De La Cruz Blvd #100
Santa Clara, CA 95054
www.intotoinc.com
----- Original Message -----
From: "Aravinda T" <aravindat@internettrends.co.in>
To: <focus-ids@securityfocus.com>
Cc: <focus-ids-owner@securityfocus.com>
Sent: Sunday, June 15, 2003 10:38 PM
Subject: HELP ON POP3 FALSE ATTACHMENT SIGNATURE
> Hi all,
>
> In our company we are developing a host based IDS for all windows
> platforms.In that they asked me to write code for detecting POP3 false
> attachment attack.I am giving the description of this attack below.
>
> Description:
> Versions of MS Outlook are vulnerable to receiving
> a hidden, potentially hostile attachment. An arbitrary string of characters,
> supplied by the sender to the 'subject:' field, will be received and
> interpreted by vulnerable versions of Outlook as an attachment to the
> message. If this string is properly constructed, it can be executable and
> capable of performing hostile actions on the vulnerable host. This can also
> be used to circumvent Outlook's dangerous file security feature.
>
> So, pls help me for writing signature of this attack.Any info regarding
> this one is highly appreciated.
> Thanks and regards,
> Aravind.
>
>
>
> -------------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training sessions,
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to
> "underground" security specialists. See for yourself what the buzz is about!
> Early-bird registration ends July 3. This event will sell out. www.blackhat.com
> -------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
- Previous message: David Markle: "RE: Views and Correlation in Intrusion Detection"
- In reply to: Aravinda T: "HELP ON POP3 FALSE ATTACHMENT SIGNATURE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
