Email ruleset #2322

fzipi · 2021-12-05T13:24:22Z

These are two new rules for dealing with email related protocol remote commands (smtp/pop3/imap4).

New rule 932300 tries to capture base commands that are different enough from common English words to prevent FP
New rule 932310 is a stricter sibling in PL3 with all the remaining commands

Still to be defined to be considered for merging:

the prefix/suffix for matching commands
tests!

dune73 · 2021-12-06T13:50:15Z

Cool stuff. Thank you.

What do you mean by "the prefix/suffix for matching commands"
PL3 rule sets PL2 score

fzipi · 2021-12-06T13:56:30Z

Prefix/suffix as the ones we use for generating the rule with regexp-assembly.py (opening regex/closing regex). Originally @NiceYouKnow wrote prefix (?s)\r\n.*?\b, and suffix \b and you added prefix (^|[\r\n]) and suffix \s. Maybe @azurit has some other idea 😄

dune73 · 2021-12-06T14:09:53Z

Gotcha. Thanks.

Please fix the scoring PL for the 2nd rule.

dune73 · 2021-12-06T16:21:52Z

Thanks

fzipi · 2021-12-18T14:20:24Z

Ok, first pass on splitting the rules.

The SMTP rules are probably mostly at PL2, because most of the commands are short and don't match an English word
Added tests for SMTP
IMAP rules will be mostly at PL3 probably. Still need to refactor this one a bit, but most commands are simple English words prone to FP.
Still need to review POP3, but will be similar to SMTP mostly.

dune73 · 2021-12-19T12:52:23Z

This looks good. Thank you.

Few items:

RFC 5321 lacks a link (unlike other RFC mentioned)
not sure if you should escape the space in the NOOP regex

fzipi · 2021-12-19T22:46:48Z

Added link per comment
Added POP3 in PL2 and PL3
IMAP4 is more complex protocol, still parsing it
Still needs plenty of tests

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>

fzipi · 2021-12-25T16:04:37Z

🎄 Email ruleset!

fzipi · 2021-12-25T16:06:27Z

I'm still in doubt about the initial \r\n. What if it is in the end instead?

fzipi · 2022-02-03T00:13:28Z

Hey @spartantri ! Did you take a look at this one?

franbuehler · 2022-03-07T20:09:26Z

Meeting decision March 7: merge this PR and continue the conversation about the LF/CR afterwards.

fzipi added the 🚀 enhancement New feature or request label Dec 5, 2021

fzipi mentioned this pull request Dec 5, 2021

Monthly Chat Agenda December 2021 (2021-12-06 and 2021-12-20) #2291

Closed

fzipi force-pushed the 2206-email-ruleset branch from 0e2f017 to 731023e Compare December 5, 2021 13:30

fzipi linked an issue Dec 6, 2021 that may be closed by this pull request

New PL2/3 rule that catches mail (SMTP) injections #2206

Closed

dune73 added the 👀 Needs action label Dec 6, 2021

fzipi force-pushed the 2206-email-ruleset branch from 731023e to 0bf9243 Compare December 6, 2021 15:07

fzipi force-pushed the 2206-email-ruleset branch from 0bf9243 to 1fe3f02 Compare December 18, 2021 14:17

fzipi force-pushed the 2206-email-ruleset branch from 1fe3f02 to 695759b Compare December 19, 2021 22:45

fzipi force-pushed the 2206-email-ruleset branch 2 times, most recently from 9c7191f to c3d18e1 Compare December 20, 2021 06:09

dune73 mentioned this pull request Dec 20, 2021

New PL2/3 rule that catches mail (SMTP) injections #2206

Closed

fzipi force-pushed the 2206-email-ruleset branch 2 times, most recently from 163be9d to 97bb811 Compare December 23, 2021 21:10

feat(rules): add email ruleset

212c1af

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>

fzipi force-pushed the 2206-email-ruleset branch 2 times, most recently from abab70e to fafd0aa Compare December 25, 2021 15:39

feat(email): add new email remote command execution rule

ba8a090

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>

fzipi force-pushed the 2206-email-ruleset branch from fafd0aa to ba8a090 Compare December 25, 2021 15:51

fzipi added 🏁 ready to merge and removed 👀 Needs action labels Dec 25, 2021

fzipi marked this pull request as ready for review December 25, 2021 15:52

fzipi mentioned this pull request Jan 2, 2022

Monthly Chat Agenda January 2022 (2022-01-03 and 2022-01-17) #2330

Closed

spartantri self-assigned this Jan 3, 2022

fzipi mentioned this pull request Feb 7, 2022

Monthly Chat Agenda February 2022 (2022-02-07 and 2022-02-21) Meeting Agenda #2350

Closed

theseion self-requested a review February 7, 2022 19:52

fzipi added this to the CRS v4.0 milestone Feb 7, 2022

fzipi changed the title ~~2206 email ruleset~~ Email ruleset Feb 7, 2022

fzipi mentioned this pull request Mar 6, 2022

Monthly Chat Agenda March 2022 (2022-03-07 and 2022-03-21) Meeting Agenda #2401

Closed

lifeforms merged commit a5baa8e into coreruleset:v3.4/dev Mar 7, 2022

fzipi mentioned this pull request Apr 4, 2022

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Email ruleset #2322

Email ruleset #2322

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Email ruleset #2322

Email ruleset #2322

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!