Snort mailing list archives
Re: possible fp on 17297
From: matan monitz <mmonitz () gmail com>
Date: Thu, 18 Nov 2010 16:29:15 +0200
hello rmkml i have read those references before and i have a basic understanding of the vulnerability, however this does not explain the second content string in the signature. filtering based on ports is not relevent since this sig is meant to look at files being transferd at any protocol. i can't figure out what you mean by "light"... attached is the payload from the alerts you can also strip the http headers with some hex-editor and get the beginning of valid rar files weird, they all seem like valid symantec endpoint protection updates... anyone from VRT care to enlighten us? On Tue, Nov 16, 2010 at 11:44 PM, rmkml <rmkml () yahoo fr> wrote:
Hi Matan, added more references: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=515 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2152 http://www.kb.cert.org/vuls/id/324929 http://www.securityfocus.com/bid/23543 http://xforce.iss.net/xforce/xfdb/33732 -Maybe check if any ports is good for you or maybe add exception port? -Maybe add "light" within:200; for checking unicode multibyte, -and maybe add "light" searching long null byte (separator) ending filename like: isdataat:64,relative; content:!"|00|"; within:64; but the best is how length multibyte unicode vulnerability? do you have a FP example please? Regards Rmkml On Tue, 16 Nov 2010, matan monitz wrote: helloi have been trying to investigate a possible fp for 17297 but i can't really figure out what the sig is looking for alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SPECIFIC-THREATS McAfee VirusScan on-access scanner long unicode filename handling buffer overflow attempt"; flow:to_client,established; content:"|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; content:"|E2 CA D4 B2 E2 CA D4 B2|"; distance:0; sid:17297; rev:3;) i get the first part ("|52 61 72 21 1A 07 00 CF 90 73 00 00 0D|"; ) thats a rar file header but what is: content:"|E2 CA D4 B2 E2 CA D4 B2|";? is it suppose to be something in unicode? how sure should i be regarding this signature?
Attachment:
payload.txt
Description:
------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- possible fp on 17297 matan monitz (Nov 16)
- Re: possible fp on 17297 rmkml (Nov 16)
- Re: possible fp on 17297 matan monitz (Nov 18)
- Re: possible fp on 17297 rmkml (Nov 16)