Snort mailing list archives
Re: Heap Spray String Floods
From: Michael Lubinski <michael.lubinski () gmail com>
Date: Thu, 17 Feb 2011 11:07:35 -0600
133a
<INPUT TYPE="hidden" NAME="action_lst[46]" VALUE="#46-(51-2564)"><TDalign="center" valign="top" ><AHREF='base_qry_alert.php?submit=%2346-%2851-2564%29&sort_order=time_d'>#46-(51-2564)</a></TD><TD align="left" valign="top" ><FONT SIZE=-1>[<A HREF="http://www.darkreading.com/security/vulnerabilities/221901428/index.html" TARGET="_ACID_ALERT_DESC">url</A>]</FONT> <FONT SIZE=-1>[<A HREF="signatures/2012254.txt" TARGET="_ACID_ALERT_DESC">local</A>]</FONT> <FONT SIZE=-1>[<A HREF=" http://www.snort.org/pub-bin/sigs.cgi?sid=1:2012254" TARGET="_ACID_ALERT_DESC">snort</A>]</FONT> ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String</TD><TD align="center" valign="top" >2011-02-17 10:59:29 </TD><TD align="center" valign="top" ><AHREF="base_stat_ipaddr.php?ip=192.168.1.200&netmask=32">192.168.1.200</A><FONT SIZE="-1">:80</FONT></TD><TD align="center" valign="top" ><AHREF="base_stat_ipaddr.php?ip=192.168.1.104&netmask32">192.168.1.104</A><FONT SIZE="-1">:1261</FONT></TD><TD align="center" valign="top" ><FONT>TCP</FONT> </TD></TR><TR BGCOLOR="#FFFFFF"><TD align="center" valign="top" ><INPUT TYPE="checkbox" NAME="action_chk_lst[47]" VALUE="#47-(51-2563)"> </TD><INPUT TYPE="hidden" NAME="action_l
On Thu, Feb 17, 2011 at 10:55 AM, Matt Olney <molney () sourcefire com> wrote:
That's an Emerging Threats rule, not a VRT rule. However, we have found that the heap spray detection like these very useful and accurate. Do you have the packet payload that triggered these alerts? On Thu, Feb 17, 2011 at 11:45 AM, Michael Lubinski < michael.lubinski () gmail com> wrote:After updating the rules today I have noticed a few hundred and counting ET Heap Spray alerts (see attached picture); My Snort VM is residing at the .200 IP. The laptop I am using is the .104 Anyone have any ideas? I think it is related to the snort signature update, maybe something went amiss, not sure. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Heap Spray String Floods Michael Lubinski (Feb 17)
- Re: Heap Spray String Floods Matt Olney (Feb 17)
- Re: Heap Spray String Floods Michael Lubinski (Feb 17)
- Re: Heap Spray String Floods Michael Lubinski (Feb 17)
- Re: Heap Spray String Floods Matt Olney (Feb 17)
- Re: Heap Spray String Floods Kevin Ross (Feb 23)
- Re: Heap Spray String Floods Matt Olney (Feb 17)