[Emerging-Sigs] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected uncrypted

Jack Pepper pepperjack at afferentsecurity.com
Mon Dec 17 05:43:43 HAST 2012


the rule is correct.  This event tells us that an idiot/user has sent their
password to an outside site, in the clear.  This is a POLICY issue, not
necessarily a security issue.  It becomes a corporate security issue if the
password they sent was their domain password or if they were using a
corporate account login to an external vendor.  Otherwise it's just a
training opportunity.

This SID has frequently led me to vendor web sites that do not use https.
Then i get to bust their chops about it.

Not necessarily a security issue, though.

jp



On Mon, Dec 17, 2012 at 8:11 AM, Giles Coochey <giles at coochey.net> wrote:

> If this was truly an "Outgoing" issue:
>
> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic
> Auth Base64 HTTP Password detected unencrypted";
> flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic";
> nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header;
> threshold: type both, count 1, seconds 300, track by_src; reference:url,
> doc.**emergingthreats.net/bin/view/**Main/2006380<http://doc.emergingthreats.net/bin/view/Main/2006380>;
> classtype:policy-violation; sid:2006380; rev:12;)
>
> wouldn't it read:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS...
>
> Just wondering, as I get an FP for this coming in after SSL offloading
> from the proxy. I know I can modify the rule via PP, but it isn't really
> alerting on what it says it is doing.
>
> --
> Regards,
>
> Giles Coochey, CCNA, CCNAS
> NetSecSpec Ltd
> +44 (0) 7983 877438
> http://www.coochey.net
> http://www.netsecspec.co.uk
> giles at coochey.net
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/580f1dde/attachment.html>


More information about the Emerging-sigs mailing list