[Emerging-Sigs] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected uncrypted

yew chuan Ong yewchuan_23 at yahoo.com
Mon Dec 17 06:18:00 HAST 2012


Agree with JP. Even though people are sending clear text passwords within internal environment, it is still our concern. 


________________________________
 From: Jack Pepper <pepperjack at afferentsecurity.com>
To: Giles Coochey <giles at coochey.net> 
Cc: Emerging Sigs <Emerging-sigs at emergingthreats.net> 
Sent: Monday, December 17, 2012 11:43 PM
Subject: Re: [Emerging-Sigs] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected uncrypted
 

the rule is correct.  This event tells us that an idiot/user has sent their password to an outside site, in the clear.  This is a POLICY issue, not necessarily a security issue.  It becomes a corporate security issue if the password they sent was their domain password or if they were using a corporate account login to an external vendor.  Otherwise it's just a training opportunity.

This SID has frequently led me to vendor web sites that do not use https.  Then i get to bust their chops about it.

Not necessarily a security issue, though.

jp




On Mon, Dec 17, 2012 at 8:11 AM, Giles Coochey <giles at coochey.net> wrote:

If this was truly an "Outgoing" issue:
>
>alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"; flow:established,to_server; content:"|0d 0a|Authorization|3a 20|Basic"; nocase; http_header; content:!"YW5vbnltb3VzOg=="; within:32; http_header; threshold: type both, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2006380; classtype:policy-violation; sid:2006380; rev:12;)
>
>wouldn't it read:
>
>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS...
>
>Just wondering, as I get an FP for this coming in after SSL offloading from the proxy. I know I can modify the rule via PP, but it isn't really alerting on what it says it is doing.
>
>-- 
>Regards,
>
>Giles Coochey, CCNA, CCNAS
>NetSecSpec Ltd
>+44 (0) 7983 877438
>http://www.coochey.net
>http://www.netsecspec.co.uk
>giles at coochey.net
>
>
>
>_______________________________________________
>Emerging-sigs mailing list
>Emerging-sigs at lists.emergingthreats.net
>http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/0c0b9ddd/attachment-0001.html>


More information about the Emerging-sigs mailing list