Snort mailing list archives
Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt
From: JJ Cummings <cummingsj () gmail com>
Date: Wed, 25 Mar 2009 17:51:10 -0600
Shawn, you can ascertain this by asking yourself some simple questions: 1: Is the system that this is alerting affected by this, I.E. is it a system running the affected version of Microsoft Windows Media Player with the appropriate codecs? 2: Is the file in question that is causing the alert even an mp4 file? Since you suspect that it's not, verify this... if it is, see question 1 Answer both of those and You'll find the answer... 1:13318: Stack-based buffer overflow in mplayer2.exe in Microsoft Windows Media Player (WMP) 6.4, when used with the 3ivx 4.5.1 or 5.0.1 codec, allows remote attackers to execute arbitrary code via a certain .mp4 file, possibly a related issue to CVE-2007-6402. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt"; flow:to_client, established; content:"|A9|cmt"; byte_test:4, >, 512, 0, relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26773; reference:cve,2007-6401; classtype:attempted-user; sid:13318; rev:2;) On Wed, Mar 25, 2009 at 4:44 PM, Jefferson, Shawn < Shawn.Jefferson () bcferries com> wrote:
I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt buffer overflow attempt (1:13318), and I’m thinking this is a false positive. The snort page for the alert doesn’t list any known false positives. Some of the payload info: HTTP/1.1 200 OK Date: Wed, 25 Mar 2009 20:51:54 GMT Server: Apache/1.3.41.fb2 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache P3P: CP="HONK" Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com; httponly X-Cnection: close Transfer-Encoding: chunked Content-Type: application/x-javascript; charset=utf-8 Content-Encoding: gzip The reason I think it may be a false positive, is the fact that this appears to be a javascript, and is gzipped (??). I’ve seen other alerts triggered by JPEGs, and I’ve always assumed they were false positives, but I wanted to run it by all you because I could be missing something! Also, if this is a false positive, how do I go about helping fill out the snort alert DB on the website? Thanks, Shawn ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt Jefferson, Shawn (Mar 25)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt JJ Cummings (Mar 25)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt Jefferson, Shawn (Mar 26)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt Nigel Houghton (Mar 25)
- Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt JJ Cummings (Mar 25)