[Emerging-Sigs] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected uncrypted
pepperjack at afferentsecurity.com
Mon Dec 17 05:43:43 HAST 2012
the rule is correct. This event tells us that an idiot/user has sent their
password to an outside site, in the clear. This is a POLICY issue, not
necessarily a security issue. It becomes a corporate security issue if the
password they sent was their domain password or if they were using a
corporate account login to an external vendor. Otherwise it's just a
This SID has frequently led me to vendor web sites that do not use https.
Then i get to bust their chops about it.
Not necessarily a security issue, though.
On Mon, Dec 17, 2012 at 8:11 AM, Giles Coochey <giles at coochey.net> wrote:
> If this was truly an "Outgoing" issue:
> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic
> Auth Base64 HTTP Password detected unencrypted";
> flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic";
> nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header;
> threshold: type both, count 1, seconds 300, track by_src; reference:url,
> classtype:policy-violation; sid:2006380; rev:12;)
> wouldn't it read:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS...
> Just wondering, as I get an FP for this coming in after SSL offloading
> from the proxy. I know I can modify the rule via PP, but it isn't really
> alerting on what it says it is doing.
> Giles Coochey, CCNA, CCNAS
> NetSecSpec Ltd
> +44 (0) 7983 877438
> giles at coochey.net
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs