Snort mailing list archives
Re: bad range 3038303030303030
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Thu, 24 May 2012 09:23:25 -0400
Looks like a problem with the following rules... 21902-21906 alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8B8DDA58"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_extract:4,8,datasize1,relative,little; byte_extract:4,0,datasize2,relative,little; byte_test:4,=,datasize1,0,relative,little; byte_test:4,=,datasize2,4,relative,little; byte_test:8,>,3038303030303030,-8,relative,little,string,hex; metadata:policy balanced-ips drop, policy security-ips drop, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21902; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"0036D8F4"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_extract:4,8,datasize1,relative,little; byte_extract:4,0,datasize2,relative,little; byte_test:4,=,datasize1,0,relative,little; byte_test:4,=,datasize2,4,relative,little; byte_test:8,>,3038303030303030,-8,relative,little,string,hex; metadata:policy balanced-ips drop, policy security-ips drop, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21903; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"B13CC16A"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_extract:4,8,datasize1,relative,little; byte_extract:4,0,datasize2,relative,little; byte_test:4,=,datasize1,0,relative,little; byte_test:4,=,datasize2,4,relative,little; byte_test:8,>,3038303030303030,-8,relative,little,string,hex; metadata:policy balanced-ips drop, policy security-ips drop, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21904; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"8E7EE1E6"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_extract:4,8,datasize1,relative,little; byte_extract:4,0,datasize2,relative,little; byte_test:4,=,datasize1,0,relative,little; byte_test:4,=,datasize2,4,relative,little; byte_test:8,>,3038303030303030,-8,relative,little,string,hex; metadata:policy balanced-ips drop, policy security-ips drop, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21905; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"21433412"; content:"A3E81207"; distance:0; nocase; content:"436F626A"; distance:0; nocase; byte_extract:4,8,datasize1,relative,little; byte_extract:4,0,datasize2,relative,little; byte_test:4,=,datasize1,0,relative,little; byte_test:4,=,datasize2,4,relative,little; byte_test:8,>,3038303030303030,-8,relative,little,string,hex; metadata:policy balanced-ips drop, policy security-ips drop, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027; classtype:attempted-user; sid:21906; rev:1;) -J From: costin [mailto:costinvilcu () yahoo com] Sent: Thursday, May 24, 2012 5:16 AM To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] bad range 3038303030303030 Hi, i am running 2.9.1.2 version of Snort, and i just applied the vrt for registered users (the one from 4/24/2012). After restarting snort, i got the folowing messages: " Starting Snort on interface eth6... Bad range: 3038303030303030 Bad range: 3038303030303030 Bad range: 3038303030303030 Bad range: 3038303030303030 Bad range: 3038303030303030 " I got the same messages for every interfaces i was running snort on. Does anyone have more info about these messages? Thanks, _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- bad range 3038303030303030 costin (May 24)
- Re: bad range 3038303030303030 Weir, Jason (May 24)
- Re: bad range 3038303030303030 Alex Kirk (May 24)
- Re: bad range 3038303030303030 Weir, Jason (May 24)