Snort mailing list archives
[SID 36903, 37674] invalid offset value of content option
From: "jungun.baek" <jungun.baek () axgate com>
Date: Tue, 6 Feb 2018 14:54:17 +0900
Dear Snort-Team, I had discovered something wrong in the rules, so I want to know if I am misunderstanding. alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2016-1287; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike>; classtype:attempted-admin; sid:36903; rev:2;) alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer overflow attempt"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2016-1287; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike>; classtype:attempted-admin; sid:37674; rev:1;) In the above two rules, content option seems to check "Next payload", "MjVer", "MnVer" of IKE header. According to section "3.1 The IKE Header" of RFC4306, Next Playload field was located offset 8. I wonder why the offset of the content option is 16. RFC4306 : https://tools.ietf.org/html/rfc4306#page-41 <https://tools.ietf.org/html/rfc4306#page-41> Best regards, Eric Baek
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- [SID 36903, 37674] invalid offset value of content option jungun.baek (Feb 05)
- <Possible follow-ups>
- [SID 36903, 37674] invalid offset value of content option 백정운 via Snort-sigs (Feb 06)