Re: Odd string in packet...

[Nick FitzGerald <nick () virus-l demon co uk>]

Frank de Lange <secf-frank () unternet org> replied to "Grimes, Shawn 
(NIA/IRP)" <GrimesSh () grc nia nih gov>:

> Looks like part of an image file to me, probably it is just (part of) a .gif or
> .png.  ...

It is a PNG.  Look at the whole packet dump in Shawn's post --
specifically:

050 :                                              89                  .
060 : 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00   PNG........IHDR.
070 : 00 05 41 00 00 01 98 08 03 00 00 00 5B 38 D3 66   ..A.........[8.f
080 : 00 00 00 04 67 41 4D 41 00 00 D9 05 AB B5 EA 94   ....gAMA........
...

Looks like a normal PNG header to me, and dumping from packet offset
05F to end of packet created a file my graphics viewer happily opened 
as a PNG file.  (I don't know enough about PNG to say whether it is 
completely contained in that poacket -- anyone else? -- but I think 
PNG was designed to be relatively robust to truncation, so no 
complaints from the graphics viewer may not mean much...)

> ... I get these alerts in snort all the time. I view them in the same light
> as the 'x86 shellcode' alert, which pops up every now and then in an image file
> which contains some 'NOP opcodes'.

Yep -- 3-byte signatures are bound to have false alarm issues...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com