SID 2012870 - Outbound Request contains pw

Rule Signatures
,
1

Hello everyone,

since a few days I get alerts on this SID:
2012870 - ET POLICY HTTP Outbound Request contains pw

Today the rule for me contains this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; content:"|0d 0a|"; nocase; http_header; classtype:policy-violation; sid:2012870; rev:3; metadata:created_at 2011_05_26, former_category POLICY, confidence Low, signature_severity Informational, updated_at 2023_12_12;)

I did a packet capture:

0000   47 45 54 20 2f 6f 6e 6c 69 6e 65 2e 74 78 74 20   GET /online.txt 
0010   48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20   HTTP/1.1..Host: 
0020   63 68 65 63 6b 6f 6e 6c 69 6e 65 2e 68 6f 6d 65   checkonline.home
0030   2d 61 73 73 69 73 74 61 6e 74 2e 69 6f 0d 0a 41   -assistant.io..A
0040   63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 6e   ccept: */*..Conn
0050   65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d   ection: close...
0060   0a                                                .

You see " 0d 0a " in the second line. This is a \r\n so I think we have a false positive/misconfiguration in this rule.

Be kind to me, it’s my first time at ET community.

1 Like
2

Hey @kiwibenis !

Thanks for this report!

Looks like we modified this rule on the 12th and accidentally removed the pw logic on the snort version of the rule. Pretty surprised this wasn’t found before getting deployed. I’ll see what we can do to make sure that doesn’t happen again!

In the meantime,I got it fixed and will be pushed out with today’s release! Will be rev:4

Thanks again!

1 Like
3

You are welcome :slight_smile: