Snort mailing list archives
Re: Possible 16295 FP
From: rmkml <rmkml () yahoo fr>
Date: Mon, 25 Oct 2010 21:24:56 +0200 (CEST)
Hi James, Your packet dump not contains MSCF word, could you send another FP but contains MSCF to the list please? What snort version you use please? because Will have found a bug with file_data on snort v290. rev 2 is already last version. Regards Rmkml On Mon, 25 Oct 2010, Lay, James wrote:
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Kaspersky antivirus library heap buffer overflow -
without optional fields";
flow:to_client,established; file_data; content:"MSCF"; byte_test:2,&,0x0003,26,relative,little;
byte_test:2,!&,0x0004,26,relative,little;
pcre:"/^.{32}([^\x00]*\x00)?[^\x00]{256}/sR"; metadata:policy security-ips drop, service http; reference:bugtraq,14998;
reference:cve,2005-3142;
classtype:attempted-user; sid:16295; rev:2;)
Rule hit:
10/25-10:42:14.031398 [**] [1:16295:2] WEB-CLIENT Kaspersky antivirus library heap buffer overflow - without optional
fields [**] [Classification: Attempted
User Privilege Gain] [Priority: 1] {TCP} 209.85.225.99:80 -> 66.193.105.132:49789
Packet dump:
10:46:32.724354 IP 209.85.225.99.80 > 66.193.105.132.49879: Flags [.], ack 1945071829, win 25728, length 1400
0x0000: 4500 05a0 da3b 0000 3906 431e d155 e163 E....;..9.C..U.c
0x0010: 42c1 6984 0050 c2d7 a6eb 4fff 73ef 70d5 B.i..P....O.s.p.
0x0020: 5010 6480 11b8 0000 2229 2c22 2622 2c62 P.d....."),"&",b
0x0030: 2c22 3d22 2c63 5d2e 6a6f 696e 2822 2229 ,"=",c].join("")
0x0040: 7d66 756e 6374 696f 6e20 7128 612c 6229 }function.q(a,b)
0x0050: 7b62 3d6e 6577 2052 6567 4578 7028 225b {b=new.RegExp("[
0x0060: 3f26 5d22 2b62 2b22 3d5b 5e26 5d2a 222c ?&]"+b+"=[^&]*",
0x0070: 2267 6922 293b 613d 612e 7265 706c 6163 "gi");a=a.replac
0x0080: 6528 622c 2222 293b 7265 7475 726e 2061 e(b,"");return.a
0x0090: 3d61 2e72 6570 6c61 6365 282f 5e28 5b5e =a.replace(/^([^
0x00a0: 3f26 5d2a 2926 282e 2a29 2f2c 2224 313f ?&]*)&(.*)/,"$1?
0x00b0: 2432 2229 7d0a 6675 6e63 7469 6f6e 2075 $2")}.function.u
0x00c0: 2861 2c62 297b 6966 2821 6129 7265 7475 (a,b){if(!a)retu
0x00d0: 726e 2062 3b72 6574 7572 6e28 6e65 7720 rn.b;return(new.
0x00e0: 5265 6745 7870 2822 282c 7c5e 2922 2b62 RegExp("(,|^)"+b
0x00f0: 2b22 282c 7c24 2922 2929 2e74 6573 7428 +"(,|$)")).test(
0x0100: 6129 3f61 3a62 2b22 2c22 2b61 7d66 756e a)?a:b+","+a}fun
0x0110: 6374 696f 6e20 7028 612c 6229 7b66 6f72 ction.p(a,b){for
0x0120: 2876 6172 2063 3d2f 5b3f 265d 696d 6774 (var.c=/[?&]imgt
0x0130: 7970 653d 285b 5e26 5d2a 292f 672c 643d ype=([^&]*)/g,d=
0x0140: 6e75 6c6c 2c65 3d22 223b 643d 632e 6578 null,e="";d=c.ex
0x0150: 6563 2861 293b 2965 3d64 5b31 5d3b 7265 ec(a);)e=d[1];re
0x0160: 7475 726e 2074 2861 2c22 696d 6774 7970 turn.t(a,"imgtyp
0x0170: 6522 2c75 2865 2c62 2929 7d66 756e 6374 e",u(e,b))}funct
0x0180: 696f 6e20 7628 297b 7661 7220 613d 6c6f ion.v(){var.a=lo
0x0190: 6361 7469 6f6e 2e68 6173 683b 6966 2861 cation.hash;if(a
0x01a0: 2626 612e 696e 6465 784f 6628 2273 7461 &&a.indexOf("sta
0x01b0: 7274 2229 3e2d 3129 7b76 6172 2062 3d77 rt")>-1){var.b=w
0x01c0: 696e 646f 772e 6479 6e2e 7365 7452 6573 indow.dyn.setRes
0x01d0: 756c 7473 3b77 696e 646f 772e 6479 6e2e ults;window.dyn.
0x01e0: 7365 7452 6573 756c 7473 3d66 756e 6374 setResults=funct
0x01f0: 696f 6e28 297b 7769 6e64 6f77 2e64 796e ion(){window.dyn
0x0200: 2e73 6574 5265 7375 6c74 733d 627d 7d7d .setResults=b}}}
0x0210: 7628 293b 0a7d 2920 2829 3b64 796e 2e69 v();.}).();dyn.i
0x0220: 6e69 7469 616c 697a 6528 275c 7832 3670 nitialize('\x26p
0x0230: 7265 765c 7833 642f 696d 6167 6573 2533 rev\x3d/images%3
0x0240: 4671 2533 4470 6f6e 6465 726f 7361 2532 Fq%3Dponderosa%2
0x0250: 426c 6162 7325 3236 686c 2533 4465 6e25 Blabs%26hl%3Den%
0x0260: 3236 6762 7625 3344 3225 3236 7462 7325 26gbv%3D2%26tbs%
0x0270: 3344 6973 6368 3a31 272c 302c 3029 3b64 3Disch:1',0,0);d
0x0280: 796e 2e73 6574 5265 7375 6c74 7328 5b5b yn.setResults([[
0x0290: 222f 696d 6772 6573 3f69 6d67 7572 6c5c "/imgres?imgurl\
0x02a0: 7833 6468 7474 703a 2f2f 7472 6565 732e x3dhttp://trees.
0x02b0: 7374 616e 666f 7264 2e65 6475 2f69 6d61 stanford.edu/ima
0x02c0: 6765 732f 5069 6e61 6365 6165 2f70 6f6e ges/Pinaceae/pon
0x02d0: 6465 726f 7361 2e6a 7067 5c78 3236 696d derosa.jpg\x26im
0x02e0: 6772 6566 7572 6c5c 7833 6468 7474 703a grefurl\x3dhttp:
0x02f0: 2f2f 7363 6965 6e63 6562 6c6f 6773 2e63 //scienceblogs.c
0x0300: 6f6d 2f63 6861 6f74 6963 7574 6f70 6961 om/chaoticutopia
0x0310: 2f32 3030 382f 3032 2f77 6861 745f 6d61 /2008/02/what_ma
0x0320: 6b65 735f 7468 655f 7069 6e65 735f 6772 kes_the_pines_gr
0x0330: 6f77 5f70 6172 742e 7068 705c 7832 3675 ow_part.php\x26u
0x0340: 7367 5c78 3364 5f5f 5a47 5767 7556 516a sg\x3d__ZGWguVQj
0x0350: 7848 744a 3453 4149 6853 7a47 304a 4a74 xHtJ4SAIhSzG0JJt
0x0360: 4d69 735c 7833 645c 7832 3668 5c78 3364 Mis\x3d\x26h\x3d
0x0370: 3638 305c 7832 3677 5c78 3364 3439 365c 680\x26w\x3d496\
0x0380: 7832 3673 7a5c 7833 6439 375c 7832 3668 x26sz\x3d97\x26h
0x0390: 6c5c 7833 6465 6e5c 7832 3673 7461 7274 l\x3den\x26start
0x03a0: 5c78 3364 315c 7832 367a 6f6f 6d5c 7833 \x3d1\x26zoom\x3
0x03b0: 6431 5c78 3236 6974 6273 5c78 3364 3122 d1\x26itbs\x3d1"
0x03c0: 2c22 222c 224e 7364 672d 6139 7a38 7741 ,"","Nsdg-a9z8wA
0x03d0: 4c54 4d3a 222c 2268 7474 703a 2f2f 7472 LTM:","http://tr
0x03e0: 6565 732e 7374 616e 666f 7264 2e65 6475 ees.stanford.edu
0x03f0: 2f69 6d61 6765 732f 5069 6e61 6365 6165 /images/Pinaceae
0x0400: 2f70 6f6e 6465 726f 7361 2e6a 7067 222c /ponderosa.jpg",
0x0410: 2231 3031 222c 2231 3339 222c 2253 6f2c "101","139","So,
0x0420: 205c 7833 6362 5c78 3365 706f 6e64 6572 .\x3cb\x3eponder
0x0430: 6f73 615c 7833 632f 625c 7833 6520 7069 osa\x3c/b\x3e.pi
0x0440: 6e65 7320 6d61 7920 6265 222c 2222 2c22 nes.may.be","","
0x0450: 222c 2234 3936 2026 7469 6d65 733b 2036 ","496.×.6
0x0460: 3830 202d 2039 376b 222c 226a 7067 222c 80.-.97k","jpg",
0x0470: 2273 6369 656e 6365 626c 6f67 732e 636f "scienceblogs.co
0x0480: 6d22 2c22 222c 2222 2c22 6874 7470 3a2f m","","","http:/
0x0490: 2f74 302e 6773 7461 7469 632e 636f 6d2f /t0.gstatic.com/
0x04a0: 696d 6167 6573 222c 2231 222c 5b5d 2c22 images","1",[],"
0x04b0: 222c 302c 2222 2c5b 5d2c 2222 2c22 222c ",0,"",[],"","",
0x04c0: 2222 2c22 222c 2222 2c22 222c 2222 2c22 "","","","","","
0x04d0: 222c 2222 5d2c 5b22 2f69 6d67 7265 733f ",""],["/imgres?
0x04e0: 696d 6775 726c 5c78 3364 6874 7470 3a2f imgurl\x3dhttp:/
0x04f0: 2f62 6579 6572 7265 6e65 7761 626c 6566 /beyerrenewablef
0x0500: 7565 6c73 2e63 6f6d 2f6d 696e 6572 616c uels.com/mineral
0x0510: 2532 3532 306c 6162 7325 3235 3230 7465 %2520labs%2520te
0x0520: 7374 2532 3532 3067 7265 656e 7761 7374 st%2520greenwast
0x0530: 6525 3235 3230 706f 6c79 2532 3532 0d0a e%2520poly%252..
0x0540: 3130 3030 0d0a 3067 6c79 6365 726f 6c2e 1000..0glycerol.
0x0550: 6a70 675c 7832 3669 6d67 7265 6675 726c jpg\x26imgrefurl
0x0560: 5c78 3364 6874 7470 3a2f 2f62 6579 6572 \x3dhttp://beyer
0x0570: 7265 6e65 7761 626c 6566 7565 6c73 2e63 renewablefuels.c
0x0580: 6f6d 2f4d 6169 6e25 3235 3230 5465 7374 om/Main%2520Test
0x0590: 2532 3532 3050 6167 652e 6874 6d5c 7832 %2520Page.htm\x2
Looks like more google happiness.
James Lay
IT Security Analyst
WinCo Foods
208-672-2014 Office
208-559-1855 Cell
650 N Armstrong Pl.
Boise, Idaho 83704
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Possible 16295 FP Lay, James (Oct 25)
- Re: Possible 16295 FP rmkml (Oct 25)