Snort mailing list archives
Re: FP 12634
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Wed, 13 Oct 2010 11:24:28 -0400
Alex.
Here you go.
Not sure these will make it to the list so I cc'd you as well...
-J
-----Original Message-----
From: Alex Kirk [mailto:akirk () sourcefire com]
Sent: Wednesday, October 13, 2010 10:36 AM
To: Weir, Jason
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] FP 12634
Can either of you guys send a PCAP? Especially since the content
from the rule is nowhere to be found in the partial packet dump from
James.
On Tue, Oct 12, 2010 at 11:24 AM, Weir, Jason <
jason.weir () nhrs org> wrote:
I'm seeing them on 12633 as well..
Jason
-----Original Message-----
From: Lay, James [mailto:
james.lay () wincofoods com]
Sent: Tuesday, October 12, 2010 11:18 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] FP 12634
Rule:
exploit.rules:alert tcp $EXTERNAL_NET
$HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT Microsoft Kodak Imaging large
offset malformed tiff 2"; flow:to_client,established; content:"MM|00|*";
byte_jump:4,0,relative,big; content:"|01 02 00 03|"; distance:-8;
byte_test:4,>,6,0,relative,big; metadata:service http;
reference:cve,2007-2217; reference:url,
www.microsoft.com/technet/security/Bulletin/MS07-055.mspx;
classtype:attempted-user; sid:12634; rev:5;)
Rule hit:
10/12-09:00:44.468266 [**] [1:12634:5] EXPLOIT
Microsoft Kodak Imaging large offset malformed tiff 2 [**]
[Classification: Attempted User Privilege Gain] [Priority: 1] {TCP}
65.55.87.115:80 -> external_ip:37350
Partial packet dump
09:00:44.470269 IP 65.55.87.115.80 >
66.193.105.132.37350: Flags [P.], ack 1, win 65535, length 1169
0x0000: 4500 04b9 a4fd 4000 3906 5352
4137 5773 E.....@.9.SRA7Ws
0x0010: 42c1 6984 0050 91e6 36ee cf5f
ef5a bdc2 B.i..P..6.._.Z..
0x0020: 5018 ffff 1c09 0000 0000 0000
0002 0601 P...............
0x0030: 0507 0003 04ff c400 3410 0001
0302 0501 ........4.......
0x0040: 0604 0407 0000 0000 0000 0102
0311 0004 ................
0x0050: 0506 1221 3113 0722 3241 5161
7191 a1b1 ...!1.."2AQaq...
0x0060: 1415 81f0 1733 5282 92a2 c2ff
c400 1a01 .....3R.........
0x0070: 0002 0301 0100 0000 0000 0000
0000 0000 ................
0x0080: 0304 0102 0500 06ff c400 2411
0002 0104 ..........$.....
0x0090: 0201 0403 0000 0000 0000 0000
0102 0003 ................
0x00a0: 0411 1221 3151 4142 61a1 0515
32ff da00 ...!1QABa...2...
0x00b0: 0c03 0100 0211 0311 003f 00a3
404e e78f .........?..@N..
0x00c0: 3902 4fca 8b48 de0a 47b4 6f5c
0260 2756 9.O..H..G.o\.`'V
_____________________________________________________________________________________________
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.Attachment:
12634.pcap
Description: 12634.pcap
Attachment:
12633.pcap
Description: 12633.pcap
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP 12634 Lay, James (Oct 12)
- Re: FP 12634 Weir, Jason (Oct 12)
- Re: FP 12634 Alex Kirk (Oct 13)
- Re: FP 12634 Weir, Jason (Oct 13)
- Re: FP 12634 Alex Kirk (Oct 13)
- Re: FP 12634 Weir, Jason (Oct 12)