Snort mailing list archives
FP on sig 17567
From: "Andy Berryman" <aberryman () Cymtec com>
Date: Wed, 17 Nov 2010 10:36:16 -0600
SPECIFIC-THREATS LANDesk Management Suite Alerting Service buffer overflow alert udp $EXTERNAL_NET any -> $HOME_NET 65535 sid:17567; rev:1; I'm seeing this as a false positive for a couple of our customers. Most seem to be DNS requests. Source port is 53 on most of them and a couple of them that I've talked to have confirmed they don't have the software on the machines. One is source port 161 dest port 65535 and here's the packet payload 0 OMFGPonies ( 0 0 + Cisco IOS Software, 3600 Software (C3640-I-M), Version 12.4(23), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Sat 08-Nov-08 23:43 by prod_rel_team IN HEX: 3082 011d 0201 0004 0a4f 4d46 4750 6f6e 6965 73a2 8201 0a02 0411 ce28 8102 0100 0201 0030 81fb 3081 f806 082b 0601 0201 0101 0004 81eb 4369 7363 6f20 494f 5320 536f 6674 7761 7265 2c20 3336 3030 2053 6f66 7477 6172 6520 2843 3336 3430 2d49 2d4d 292c 2056 6572 7369 6f6e 2031 322e 3428 3233 292c 2052 454c 4541 5345 2053 4f46 5457 4152 4520 2866 6331 290d 0a54 6563 686e 6963 616c 2053 7570 706f 7274 3a20 6874 7470 3a2f 2f77 7777 2e63 6973 636f 2e63 6f6d 2f74 6563 6873 7570 706f 7274 0d0a 436f 7079 7269 6768 7420 2863 2920 3139 3836 2d32 3030 3820 6279 2043 6973 636f 2053 7973 7465 6d73 2c20 496e 632e 0d0a 436f 6d70 696c 6564 2053 6174 2030 382d 4e6f 762d 3038 2032 333a 3433 2062 7920 7072 6f64 5f72 656c 5f74 6561 6d Thanks, Andy Berryman ############################################################################### This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) named above. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this message in error and that any review, disclosure, copying, distribution or use of the contents of this message is strictly prohibited. If you have received this message in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return e-mail. ###############################################################################
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FP on sig 17567 Andy Berryman (Nov 17)
- Re: FP on sig 17567 Alex Kirk (Nov 17)