Snort mailing list archives
Re: Possible FP 17390
From: rmkml <rmkml () yahoo fr>
Date: Tue, 20 Sep 2011 23:02:16 +0200 (CEST)
Thx you James and Joel, Exploit here: http://downloads.securityfocus.com/vulnerabilities/exploits/32555.c Im curious if this exploit DoS because: -jpeg loop? (iter 200000) -marker APP13 (\xffed) section size too short? (\x0002) -photoshopthumbnail tag size too big? \x01010101) -or combinations? Regards Rmkml On Tue, 20 Sep 2011, Joel Esler wrote:
James, can you send it to me in just pcap form? I just want to make sure that any false positives are eliminated. I had a hunch it was 2.9.1, do you have PAF enabled in your config? Joel On Sep 20, 2011, at 4:07 PM, Lay, James wrote:-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, September 20, 2011 12:39 PM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: [Spam] Re: [Snort-sigs] Possible FP 17390 Importance: Low James, After looking at this, I have a couple questions: #1 -- What version of Snort are you using? #2 -- The vulnerability condition is not in this packet. What are you using to log? You may see the actual logged vulnerability condition in an additional packet later, in perhaps a "tagged" packet (depending on what interface you are using). But I can't see the vulnerability condition on the paste you included below. #3 -- We actually used a jpg to replicate this condition in ClamAV. So, a couple points. First, if you can get full packet capture of the vulnerability condition and surrounding packets, that'd be great. Because I can't see the vuln here. Second, if you aren't running ClamAV, I suggest you shut this rule off anyway. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager SourcefireHey Joel, This is snort 2.9.1 using 2.9.1 VRT rules. The packet cap is via sguil/barnyard2/squert...I don't think it's logging everything, but I got the pcap out of the unified2 file and here's the only other packet, but I can see where it hit now. Think I'll kill this rule...thanks Joel. James 00000578 58 59 5a 20 00 00 00 00 00 00 9c 18 00 00 4f a5 XYZ .... 00000588 00 00 04 fc 58 59 5a 20 00 00 00 00 00 00 34 8d ....XYZ 00000598 00 00 a0 2c 00 00 0f 95 58 59 5a 20 00 00 00 00 ...,.... XYZ 000005A8 00 00 26 31 00 00 10 2f 00 00 be 9c ff ed 5b da ..&1.../ 000005B8 50 68 6f 74 6f 73 68 6f 70 20 33 2e 30 00 38 42 Photoshop 3.0.8B 000005C8 49 4d 04 0c 00 00 00 00 5b a2 00 00 00 01 00 00 IM...... 000005D8 01 00 00 00 00 aa 00 00 03 00 00 01 fe 00 00 00 ........ 000005E8 5b 86 00 18 00 01 ff d8 ff ee 00 0e 41 64 6f 62 [....... 000005F8 65 00 64 00 00 00 00 01 ff db 00 84 00 06 04 04 e.d..... 00000608 04 05 04 06 05 05 06 09 06 05 06 09 0b 08 06 06 ........
... ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- <Possible follow-ups>
- Re: Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 rmkml (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)