Snort mailing list archives
DOS Microsoft IIS 7.5 client verify null pointer attempt
From: yew chuan Ong <yewchuan_23 () yahoo com>
Date: Wed, 18 Apr 2012 21:39:01 -0700 (PDT)
Hye guys... Any ideas on this sig? What is the purpose to search for the keyword "0F"? alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Microsoft IIS 7.5 client verify null pointer attempt"; flow:established,to_server; content:"|16 03 01|"; depth:3; content:"|10|"; within:1; distance:2; byte_jump:2,-3,relative; content: "|16 03 01|"; within:3; content:"|0F|"; within:1; distance:2; reference:cve,2010 -3229; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-085; cla sstype:attempted-dos; sid:17750; rev:8;) Based on what I know: [16] [03 01] [00 86] [10] [00 00 82] [00 80 0F ......] Byte 0 - [16] - Handshake Byte 1, Byte 2 - [03 01] - TLS1.0 Byte 3, Byte 4 - [00 86] - 134 byte - length of TLS record Byte 5 - 10 - [16] - Client Key Exchange message Byte 6 - 8 - [00 00 82] - message length 130 bytes [00 80 0F ...] <- start from here suppose is encrypted right? Any ideas? Thanks! Regards Yew Chuan
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- DOS Microsoft IIS 7.5 client verify null pointer attempt yew chuan Ong (Apr 18)
- Re: DOS Microsoft IIS 7.5 client verify null pointer mptempt rmkml (Apr 18)