DOS Microsoft IIS 7.5 client verify null pointer attempt

[yew chuan Ong <yewchuan_23 () yahoo com>]

Hye guys...

Any ideas on this sig? What is the purpose to search for the keyword "0F"?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IIS 7.5 client
verify null pointer attempt"; flow:established,to_server; content:"|16 03 01|";
depth:3; content:"|10|"; within:1; distance:2; byte_jump:2,-3,relative; content:
"|16 03 01|"; within:3; content:"|0F|"; within:1; distance:2; reference:cve,2010
-3229; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-085; cla
sstype:attempted-dos; sid:17750; rev:8;)

Based on what I know:
[16] [03 01] [00 86] [10] [00 00 82] [00 80 0F ......]

Byte 0 - [16] - Handshake
Byte 1, Byte 2 - [03 01] - TLS1.0
Byte 3, Byte 4 - [00 86] - 134 byte - length of TLS record
Byte 5 - 10 - [16] - Client Key Exchange message
Byte 6 - 8 - [00 00 82] - message length 130 bytes

[00 80 0F ...] <- start from here suppose is encrypted right?

Any ideas?

Thanks!


Regards
Yew Chuan

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!