Need help with creating signature for pop3

Reply
Highlighted
L1 Bithead

Need help with creating signature for pop3

I would need some assistance with setting up a custom signature for pop3.

 

I need to make a signature for the USER  command returning "-ERR " currently the Pan vuln signature only triggers on the Pass command in vuln id 31709. I run into a fundamental issue which is the 7 bytes. pop3 does not have 7 bites min on return codes.

 

I'm suspecting I will need to do something like the following but this is not triggering.

 

 

'Server Ack

context unknown-rsp-tcp-payload

pattern "\+OK.{0,70}(POP3 MDaemon).{0,70}"

negate no

 

'User passes username

context unknown-req-tcp-payload

pattern "/user/i .{0,100}"

negate no

 

 

context unknown-rsp-tcp-payload

pattern "/\-ERR/i.{0,70}"

negate no

 

any idea on how I can get this done would be appreciated.

 

Highlighted
L4 Transporter

Good evening, apike!

 

I understand what you are requesting; however, given the current custom signature contexts available within PAN-OS, I am not certain if it is possible. I do not see any exposed POP3 contexts in our custom signature engine, meaning writing signatures for them is likely not possible.

 

The contexts unknown-req-tcp-payload and context unknown-rsp-tcp-payload are for applications not successfully identified by the PAN-OS device (IE: application unknown-tcp); since the traffic you are trying to trigger off of is nested within a properly interpretted application (POP3), this signature will not trigger.

 

The short version of my response is that I am uncertain if what you are trying to do via custom signature is possible; if it is, I do not know of a way to do it.

Highlighted
L5 Sessionator

Hi apike, welcome to community forums.

 

I am not completely sure but I am thinking this might help: you need to work around of Rick's comment because he is right; why don't you try creating custom app "myPOP3" and define it for port tcp/110; thus you will override built-in decoder for pop3 because custom apps should kick in first and disable further lookup therefore chance exists your vuln sigs will trigger now?

 

Or just create a custom app for your condition (perhaps in the whole session) and block that app. You have an explanation here how to create signatures for the session (part of base signature creation).

 

Can you try and let us know what was your mileage?

 

Best regards


Luciano

Highlighted
L1 Bithead

I need help with the Regex according to my regex "user ([A-Z a-z 0-9._\ \@]{0,100})" this is vaild but not according to PANOS

 

any thoughts?

Highlighted
L5 Sessionator

Hi,

 

For what it's worth, I think your signature is mostly valid but it has some extra spaces and it also should probably escape brackets, I am not completely sure what are you trying to match, do you need brackets or not? Anyways, that is regex-wise; for PAN-OS you are failing to meet another requirement: Problem you are seeing is that for any custom signature, you have to have at least 7 bytes of fixed string that must be fixed; so no regex can be used WITHIN those 7 characters / bytes. You can use regex together with that anchor, but you must have a 7-byte anchor.

 

I really don't have any pop3 service running or configurable to test this with, but there MUST be some string in email header that you can grab for this? (I still am not sure if my proposal works as I can't test it)

 

What I would try - I would set:

1. custom but simple application for pop3, as explained, just defining tcp/110,

2. simple vulnerability signature catching onto fixed string, something like "subject",

3. make an exception in all existing vuln profiles for this signature (you don't want it catching everything and anything before you test it!),

4. create new vuln profile (that does not have this in exception),

5. create new security policy applying only to sender/receiver of email, using custom app, using vulnerability protection profile from step 4 (only one that does not have new vuln profile in exception list)

 

This way, you will start with very simple signature and work out if this works at all, if it does, than you can perhaps share with us how your headers usually look so maybe we can together find some 7-byte string that would work better.

 

Best regards,

 

Luciano

Highlighted
L1 Bithead

Hi Luciano,

 

We are targetting users sign-on failed auth message unfortunatly there is nothing more then the user command and the perameter the attacker uses. I don't need the brakets notice they did not make a diffrence if there in or not.

 

https://www.ietf.org/rfc/rfc1939.txt (page 12-13) This is due to an attack we have seen and the last one was ~50K user attempts the bot never went to Pass command which would have trigger the failed login attempt. I have asked PA to step in at this point to develop some kind of recon signature for this type of attack/recon.

 

hopefully they will come up with something. Thanks for your help!

 

 

Highlighted
L5 Sessionator

Hi,

 

just to let you know - I checked, my idea with custom app won't work - it will not override settings of the default decoder. Scratch that and talk to PAN SE or TAC.

 

Best regards


Luciano

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!