Snort mailing list archives
Re: FP 12634
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Wed, 13 Oct 2010 11:24:28 -0400
Alex. Here you go. Not sure these will make it to the list so I cc'd you as well... -J -----Original Message----- From: Alex Kirk [mailto:akirk () sourcefire com] Sent: Wednesday, October 13, 2010 10:36 AM To: Weir, Jason Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] FP 12634 Can either of you guys send a PCAP? Especially since the content from the rule is nowhere to be found in the partial packet dump from James. On Tue, Oct 12, 2010 at 11:24 AM, Weir, Jason < jason.weir () nhrs org> wrote: I'm seeing them on 12633 as well.. Jason -----Original Message----- From: Lay, James [mailto: james.lay () wincofoods com] Sent: Tuesday, October 12, 2010 11:18 AM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] FP 12634 Rule: exploit.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2"; flow:to_client,established; content:"MM|00|*"; byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8; byte_test:4,>,6,0,relative,big; metadata:service http; reference:cve,2007-2217; reference:url, www.microsoft.com/technet/security/Bulletin/MS07-055.mspx; classtype:attempted-user; sid:12634; rev:5;) Rule hit: 10/12-09:00:44.468266 [**] [1:12634:5] EXPLOIT Microsoft Kodak Imaging large offset malformed tiff 2 [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 65.55.87.115:80 -> external_ip:37350 Partial packet dump 09:00:44.470269 IP 65.55.87.115.80 > 66.193.105.132.37350: Flags [P.], ack 1, win 65535, length 1169 0x0000: 4500 04b9 a4fd 4000 3906 5352 4137 5773 E.....@.9.SRA7Ws 0x0010: 42c1 6984 0050 91e6 36ee cf5f ef5a bdc2 B.i..P..6.._.Z.. 0x0020: 5018 ffff 1c09 0000 0000 0000 0002 0601 P............... 0x0030: 0507 0003 04ff c400 3410 0001 0302 0501 ........4....... 0x0040: 0604 0407 0000 0000 0000 0102 0311 0004 ................ 0x0050: 0506 1221 3113 0722 3241 5161 7191 a1b1 ...!1.."2AQaq... 0x0060: 1415 81f0 1733 5282 92a2 c2ff c400 1a01 .....3R......... 0x0070: 0002 0301 0100 0000 0000 0000 0000 0000 ................ 0x0080: 0304 0102 0500 06ff c400 2411 0002 0104 ..........$..... 0x0090: 0201 0403 0000 0000 0000 0000 0102 0003 ................ 0x00a0: 0411 1221 3151 4142 61a1 0515 32ff da00 ...!1QABa...2... 0x00b0: 0c03 0100 0211 0311 003f 00a3 404e e78f .........?..@N.. 0x00c0: 3902 4fca 8b48 de0a 47b4 6f5c 0260 2756 9.O..H..G.o\.`'V _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
Attachment:
12634.pcap
Description: 12634.pcap
Attachment:
12633.pcap
Description: 12633.pcap
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP 12634 Lay, James (Oct 12)
- Re: FP 12634 Weir, Jason (Oct 12)
- Re: FP 12634 Alex Kirk (Oct 13)
- Re: FP 12634 Weir, Jason (Oct 13)
- Re: FP 12634 Alex Kirk (Oct 13)
- Re: FP 12634 Weir, Jason (Oct 12)