snort analysing: Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt

Microsoft Internet Explorer EPM MOTWCreateFileW file access bypass attempt

flow:to_client,established; file_data; content:"|3A FF 75 08 0F 57 C0 66 0F D6 06 C7 46 08 00 00 00 00 C7 46 04 00 00 00 00 C7 46 08 01|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:policy-violation;

flow:to_client,established;

http://manual.snort.org/node33.html#SECTION00469000000000000000

The flow keyword is used in conjunction with session tracking. It allows rules to only apply to certain directions of the traffic flow.

This allows rules to only apply to clients or servers. This allows packets related to $HOME_NET clients viewing web pages to be distinguished from servers running in the $HOME_NET.

Established connection (TCP without SYN) triggered on server resposes.

file_data;

This option sets the cursor used for detection to one of the following buffers: 1. When the traffic being detected is HTTP it sets the buffer to, a. HTTP response body (without chunking/compression/normalization) b. HTTP de-chunked response body c. HTTP decompressed response body (when inspect_gzip is turned on) d. HTTP normalized response body (when normalized_javascript is turned on) e. HTTP UTF normalized response body (when normalize_utf is turned on) f. All of the above 2. When the traffic being detected is SMTP/POP/IMAP it sets the buffer to, a. SMTP/POP/IMAP data body (including Email headers and MIME when decoding is turned off) b. Base64 decoded MIME attachment (when b64_decode_depth is greater than -1) c. Non-Encoded MIME attachment (when bitenc_decode_depth is greater than -1) d. Quoted-Printable decoded MIME attachment (when qp_decode_depth is greater than -1) e. Unix-to-Unix decoded attachment (when uu_decode_depth is greater than -1)

Any relative or absolute content matches (without HTTP modifiers or rawbytes) and payload detecting rule options that follow file_data in a rule will apply to this buffer until explicitly reset by other rule options.

Further analysis shall be done on an discovered attachment only.

content:"|3A FF 75 08 0F 57 C0 66 0F D6 06 C7 46 08 00 00 00 00 C7 46 04 00 00 00 00 C7 46 08 01|";

http://www.rapidtables.com/convert/number/hex-to-ascii.htm

Look for the HEX string (ASCII: in file attachments

fast_pattern:only;

http://manual.snort.org/node32.html#SECTION004522000000000000000

The fast_pattern keyword is a content modifier that sets the content within a rule to be used with the fast pattern matcher. Since the default behavior of fast pattern determination is to use the longest content in the rule, it is useful if a shorter content is more "unique" than the longer content, meaning the shorter content is less likely to be found in a packet than the longer content.

The fast pattern matcher is used to select only those rules that have a chance of matching by using a content in the rule for selection and only evaluating that rule if the content is found in the payload. Though this may seem to be overhead, it can significantly reduce the number of rules that need to be evaluated and thus increases performance. The better the content used for the fast pattern matcher, the less likely the rule will needlessly be evaluated.

Searching for a short pattern, thus a more performant search is possible.

metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3;

Search in files (attachments) coming from ftp, http, imap or pop3 and drop the relevant session

classtype:policy-violation;

Classify this as violating the company policy