Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FP on sig 17567

From: "Andy Berryman" <aberryman () Cymtec com>
Date: Wed, 17 Nov 2010 10:36:16 -0600
SPECIFIC-THREATS LANDesk Management Suite Alerting Service buffer
overflow

alert udp $EXTERNAL_NET any -> $HOME_NET 65535 

sid:17567; rev:1;

 

 

I'm seeing this as a false positive for a couple of our customers. Most
seem to be DNS requests. Source port is 53 on most of them and a couple
of them that I've talked to have confirmed they don't have the software
on the machines. 

 

 

One is source port 161 dest port 65535 and here's the packet payload

 

0        OMFGPonies        (       0  0    +          Cisco IOS
Software, 3600 Software (C3640-I-M), Version 12.4(23), RELEASE SOFTWARE
(fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright
(c) 1986-2008 by Cisco Systems, Inc.  Compiled Sat 08-Nov-08 23:43 by
prod_rel_team

 

IN HEX:

 

3082 011d 0201 0004 0a4f 4d46 4750 6f6e 6965 73a2 8201 0a02 0411 ce28
8102 0100 0201 0030 81fb 3081 f806 082b 0601 0201 0101 0004 81eb 4369
7363 6f20 494f 5320 536f 6674 7761 7265 2c20 3336 3030 2053 6f66 7477
6172 6520 2843 3336 3430 2d49 2d4d 292c 2056 6572 7369 6f6e 2031 322e
3428 3233 292c 2052 454c 4541 5345 2053 4f46 5457 4152 4520 2866 6331
290d 0a54 6563 686e 6963 616c 2053 7570 706f 7274 3a20 6874 7470 3a2f
2f77 7777 2e63 6973 636f 2e63 6f6d 2f74 6563 6873 7570 706f 7274 0d0a
436f 7079 7269 6768 7420 2863 2920 3139 3836 2d32 3030 3820 6279 2043
6973 636f 2053 7973 7465 6d73 2c20 496e 632e 0d0a 436f 6d70 696c 6564
2053 6174 2030 382d 4e6f 762d 3038 2032 333a 3433 2062 7920 7072 6f64
5f72 656c 5f74 6561 6d

 

 

 

 

Thanks,

Andy Berryman


###############################################################################
This message from Cymtec Systems, Inc. contains confidential information and is solely for the use of the recipient(s) 
named above.  If you are not the intended recipient or an agent responsible for delivering it to the intended 
recipient, you are hereby notified that you have received this message in error and that any review, disclosure, 
copying, distribution or use of the contents of this message is strictly prohibited.  If you have received this message 
in error, please destroy it immediately and notify Cymtec Systems, Inc. by telephone at +1.314.993.8700 or by return 
e-mail.                    
###############################################################################

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: