Security Incidents mailing list archives
Re: Odd string in packet...
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 26 Jan 2002 12:43:03 +1200
Frank de Lange <secf-frank () unternet org> replied to "Grimes, Shawn (NIA/IRP)" <GrimesSh () grc nia nih gov>:
Looks like part of an image file to me, probably it is just (part of) a .gif or .png. ...
It is a PNG. Look at the whole packet dump in Shawn's post -- specifically: 050 : 89 . 060 : 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 PNG........IHDR. 070 : 00 05 41 00 00 01 98 08 03 00 00 00 5B 38 D3 66 ..A.........[8.f 080 : 00 00 00 04 67 41 4D 41 00 00 D9 05 AB B5 EA 94 ....gAMA........ ... Looks like a normal PNG header to me, and dumping from packet offset 05F to end of packet created a file my graphics viewer happily opened as a PNG file. (I don't know enough about PNG to say whether it is completely contained in that poacket -- anyone else? -- but I think PNG was designed to be relatively robust to truncation, so no complaints from the graphics viewer may not mean much...)
... I get these alerts in snort all the time. I view them in the same light as the 'x86 shellcode' alert, which pops up every now and then in an image file which contains some 'NOP opcodes'.
Yep -- 3-byte signatures are bound to have false alarm issues... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Odd string in packet... Grimes, Shawn (NIA/IRP) (Jan 25)
- Re: Odd string in packet... Frank de Lange (Jan 25)
- Re: Odd string in packet... Nick FitzGerald (Jan 25)
- Re: Odd string in packet... Frank de Lange (Jan 25)