Snort mailing list archives
Re: FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Tue, 27 Jul 2010 09:23:15 -0500
Hello. I too see this alert much. 25+ times alone in the past few hours. Could it be falsing on random encrypted packets or is it real exploit attempts? I too see the packets start with (hex): 1603 0100 300b Interesting. Any insights? -L0rd Ch0de1m0rt On 7/26/10, Russell Fulton <r.fulton () auckland ac nz> wrote:
I am seeing lots of hits on this rule -- mostly from local ISP addresses which strongly suggests that they are FPs. sample packet: 16030100300B9BFA00AD D1DC979808E896F4E7CF 1B85338B5531AF7CF07A 805C0320F78A1929FFEC B2E2CCA7F1764DBDABFC 7A0A0B I have lots more sample if anyone wants them -- getting a full session capture might be possible too if needed. Russell Fulton Information Security Officer, The University of Auckland New Zealand ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606 Russell Fulton (Jul 26)
- Re: FPs - ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt 16606 L0rd Ch0de1m0rt (Jul 27)