Snort mailing list archives
Re: FP 17246
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Thu, 14 Oct 2010 12:04:34 -0400
Here is a PCAP of one that fired here.. -J -----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, October 14, 2010 10:49 AM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] FP 17246 Are you sure that's the right packet dump? That rule doesn't match the packet at all (look at the content match) J On Thu, Oct 14, 2010 at 10:43 AM, Lay, James < james.lay () wincofoods com> wrote: Rule hit: 10/14-08:38:47.457462 [**] [1:17246:1] SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt [**] [Classification: Attempted User Privilege Gain] [Priority: 1] {TCP} 209.85.225.148:80 -> external_IP:61121 Rule: :alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SPECIFIC-THREATS Multiple vendor Antivirus magic byte detection evasion attempt"; flow:established,to_client; content:"Content|2D|Type|3A 20|text|2F|html"; nocase; http_header; pcre:"/\x0D\x0A?(MZ|PK|BZh|BZ|GIF8|BM|IC|PI|CI|CP)/"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2005-3370; reference:cve,2005-3371; reference:cve,2005-3372; reference:cve,2005-3373; reference:cve,2005-3374; reference:cve,2005-3375; reference:cve,2005-3376; reference:cve,2005-3377; reference:cve,2005-3378; reference:cve,2005-3379; reference:cve,2005-3380; reference:cve,2005-3381; reference:cve,2005-3382; classtype:attempted-user; sid:17246; rev:1;) Packet dump: 08:39:10.499895 IP 209.85.225.148.80 > 66.193.105.132.61121: Flags [P.], ack 721, win 9648, length 204 0x0000: 4500 00f4 e376 0000 3906 3e5e d155 e194 E....v..9.>^.U.. 0x0010: 42c1 6984 0050 eec1 18f5 f9bc 5329 87af B.i..P......S).. 0x0020: 5018 25b0 637e 0000 4854 5450 2f31 2e31 P.%.c~..HTTP/1.1 0x0030: 2032 3030 204f 4b0d 0a43 6f6e 7465 6e74 .200.OK..Content 0x0040: 2d54 7970 653a 2069 6d61 6765 2f67 6966 -Type:.image/gif 0x0050: 0d0a 5072 6167 6d61 3a20 6e6f 2d63 6163 ..Pragma:.no-cac 0x0060: 6865 0d0a 4361 6368 652d 436f 6e74 726f he..Cache-Contro 0x0070: 6c3a 206e 6f2d 6361 6368 650d 0a43 6f6e l:.no-cache..Con 0x0080: 7465 6e74 2d4c 656e 6774 683a 2034 330d tent-Length:.43. 0x0090: 0a44 6174 653a 2054 6875 2c20 3134 204f .Date:.Thu,.14.O 0x00a0: 6374 2032 3031 3020 3134 3a33 393a 3132 ct.2010.14:39:12 0x00b0: 2047 4d54 0d0a 5365 7276 6572 3a20 4746 .GMT..Server:.GF 0x00c0: 452f 322e 300d 0a0d 0a47 4946 3839 6101 E/2.0....GIF89a. 0x00d0: 0001 0080 0100 0000 00ff ffff 21f9 0401 ............!... 0x00e0: 0000 0100 2c00 0000 0001 0001 0000 0202 ....,........... 0x00f0: 4c01 003b L..; Looks like a .gif from google.... James _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
Attachment:
base_packet_51-1691.pcap
Description: base_packet_51-1691.pcap
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: FP 17246, (continued)
- Re: FP 17246 Weir, Jason (Oct 14)
- Re: FP 17246 Weir, Jason (Oct 14)
- Re: FP 17246 Nigel Houghton (Oct 14)
- Re: FP 17246 Weir, Jason (Oct 14)
- Re: FP 17246 JJC (Oct 14)
- Re: FP 17246 Nigel Houghton (Oct 14)
- Re: FP 17246 Weir, Jason (Oct 14)
- Re: FP 17246 Lay, James (Oct 14)
- Re: FP 17246 Joel Esler (Oct 14)
- Re: FP 17246 Weir, Jason (Oct 14)