Re: Alert help, web-client 3ivx MP4 file parsing cmt buffer overflow attempt

[Nigel Houghton <nhoughton () sourcefire com>]

On Wed, Mar 25, 2009 at 6:44 PM, Jefferson, Shawn
<Shawn.Jefferson () bcferries com> wrote:
> I had an alert triggered today, WEB-CLIENT 3ivx MP4 file parsing cmt buffer
> overflow attempt (1:13318), and I’m thinking this is a false positive.  The
> snort page for the alert doesn’t list any known false positives.
>
> Some of the payload info:
>
> HTTP/1.1 200 OK
> Date: Wed, 25 Mar 2009 20:51:54 GMT
> Server: Apache/1.3.41.fb2
> Expires: Mon, 26 Jul 1997 05:00:00 GMT
> Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0,
> pre-check=0
> Pragma: no-cache
> P3P: CP="HONK"
> Set-Cookie: made_write_conn=1238014314; path=/; domain=.facebook.com
> Set-Cookie: cur_max_lag=3; path=/; domain=.facebook.com; httponly
> X-Cnection: close
> Transfer-Encoding: chunked
> Content-Type: application/x-javascript; charset=utf-8
> Content-Encoding: gzip
>
> The reason I think it may be a false positive, is the fact that this appears
> to be a javascript, and is gzipped (??).  I’ve seen other alerts triggered
> by JPEGs, and I’ve always assumed they were false positives, but I wanted to
> run it by all you because I could be missing something!
>
> Also, if this is a false positive, how do I go about helping fill out the
> snort alert DB on the website?

 http://www.snort.org/vrt/falsepos.html

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users