Snort mailing list archives
Re: possible fp on 17297
From: rmkml <rmkml () yahoo fr>
Date: Tue, 16 Nov 2010 22:44:50 +0100 (CET)
Hi Matan, added more references: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=515 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2152 http://www.kb.cert.org/vuls/id/324929 http://www.securityfocus.com/bid/23543 http://xforce.iss.net/xforce/xfdb/33732 -Maybe check if any ports is good for you or maybe add exception port? -Maybe add "light" within:200; for checking unicode multibyte, -and maybe add "light" searching long null byte (separator) ending filename like: isdataat:64,relative; content:!"|00|"; within:64; but the best is how length multibyte unicode vulnerability? do you have a FP example please? Regards Rmkml On Tue, 16 Nov 2010, matan monitz wrote:
hello i have been trying to investigate a possible fp for 17297 but i can't really figure out what the sig is looking for alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297; rev:3;) i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats a rar file header but what is: content:"|E2 CA D4 B2 E2 CA D4 B2|";? is it suppose to be something in unicode? how sure should i be regarding this signature?
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- possible fp on 17297 matan monitz (Nov 16)
- Re: possible fp on 17297 rmkml (Nov 16)
- Re: possible fp on 17297 matan monitz (Nov 18)
- Re: possible fp on 17297 rmkml (Nov 16)