Snort mailing list archives

Sourcefire VRT Certified Snort Rules for CVE-2013-3906

From: Jeremy Scott <JeremyScott () solutionary com>
Date: Thu, 7 Nov 2013 21:05:26 -0600

What's the possibility of false negatives with the rules package for CVE-2013-3906 (SID 28464-71)? I'm just trying to
validate if I'm understanding the rule logic correctly.

The content is matching the STRIPBYTECOUNT TIFF Tag (01 17 00 04 00 00 00 01). By specifying a value of 1 for the
number of strips in the file, it seems that it will bypass the rule from being triggered if more than 1 strip is used
to trigger the vulnerable condition.

Jeremy Scott

[cid:534C6DB9-FD33-43FD-B846-880C07DCF0CD]<http://www.solutionary.com/>

Senior Research Analyst
Security Engineering Research Team (SERT)

Phone: 806-318-3541 Cell: 806-679-4440

Email: JeremyScott () Solutionary com<mailto:JeremyScott () Solutionary com>
www.solutionary.com<http://www.solutionary.com>

Solutionary named MSSP Leader. Go
here<http://www.solutionary.com/index/intelligence-center/Gartner-Magic-Quadrant-2012.php>.

Confidentiality Notice: The content of this communication, along with any attachments, is covered by federal and state
law governing electronic communications and may contain confidential and legally privileged information. If the reader
of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, use or
copying of the information contained herein is strictly prohibited. If you have received this communication in error,
please immediately contact us by telephone at 402.361.3000 or e-mail security () solutionary com<mailto:security ()
solutionary com>. Thank you.
Copyright 2000-2012. Solutionary, Inc. All rights reserved. ActiveGuard and Solutionary are registered trademarks of
Solutionary, Inc. Solutionary, the ActiveGuard logo icon, and the Solutionary logo icon are registered service marks of
Solutionary, Inc.

------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Sourcefire VRT Certified Snort Rules for CVE-2013-3906 Jeremy Scott (Nov 07)
- Re: Sourcefire VRT Certified Snort Rules for CVE-2013-3906 Patrick Mullen (Nov 08)