This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Need help with creating signature for pop3

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help with creating signature for pop3

apike
L1 Bithead

‎03-04-2016 12:42 PM

I would need some assistance with setting up a custom signature for pop3.

 

I need to make a signature for the USER  command returning "-ERR " currently the Pan vuln signature only triggers on the Pass command in vuln id 31709. I run into a fundamental issue which is the 7 bytes. pop3 does not have 7 bites min on return codes.

 

I'm suspecting I will need to do something like the following but this is not triggering.

 

 

'Server Ack

context unknown-rsp-tcp-payload

pattern "\+OK.{0,70}(POP3 MDaemon).{0,70}"

negate no

 

'User passes username

context unknown-req-tcp-payload

pattern "/user/i .{0,100}"

negate no

 

 

context unknown-rsp-tcp-payload

pattern "/\-ERR/i.{0,70}"

negate no

 

any idea on how I can get this done would be appreciated.

 

0 Likes Likes
6 REPLIES 6

apike
L1 Bithead
In response to Lucky

‎03-08-2016 03:14 PM

Hi Luciano,

 

We are targetting users sign-on failed auth message unfortunatly there is nothing more then the user command and the perameter the attacker uses. I don't need the brakets notice they did not make a diffrence if there in or not.

 

https://www.ietf.org/rfc/rfc1939.txt (page 12-13) This is due to an attack we have seen and the last one was ~50K user attempts the bot never went to Pass command which would have trigger the failed login attempt. I have asked PA to step in at this point to develop some kind of recon signature for this type of attack/recon.

 

hopefully they will come up with something. Thanks for your help!

 

 

0 Likes Likes

Lucky
L5 Sessionator
In response to apike

‎03-09-2016 11:21 AM

Hi,

 

just to let you know - I checked, my idea with custom app won't work - it will not override settings of the default decoder. Scratch that and talk to PAN SE or TAC.

 

Best regards


Luciano

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks