Snort mailing list archives
Re: FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 27 Jul 2010 11:04:54 -0400
We'll take full-session PCAPs from anyone that has them, and go take a look at what we can do with the rule based on our research and those packets. Russell, L0rd, you two probably know where to send, since you're regulars on this list. On Tue, Jul 27, 2010 at 10:23 AM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>wrote:
Hello. I too see this alert much. 25+ times alone in the past few hours. Could it be falsing on random encrypted packets or is it real exploit attempts? I too see the packets start with (hex): 1603 0100 300b Interesting. Any insights? -L0rd Ch0de1m0rt On 7/26/10, Russell Fulton <r.fulton () auckland ac nz> wrote:I am seeing lots of hits on this rule -- mostly from local ISP addresses which strongly suggests that they are FPs. sample packet: 16030100300B9BFA00AD D1DC979808E896F4E7CF 1B85338B5531AF7CF07A 805C0320F78A1929FFEC B2E2CCA7F1764DBDABFC 7A0A0B I have lots more sample if anyone wants them -- getting a full session capture might be possible too if needed. Russell Fulton Information Security Officer, The University of Auckland New Zealand------------------------------------------------------------------------------The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606 Russell Fulton (Jul 26)
- Re: FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606 L0rd Ch0de1m0rt (Jul 27)
- Re: FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606 Alex Kirk (Jul 27)
- Re: FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606 L0rd Ch0de1m0rt (Jul 27)