Snort mailing list archives
Possible FP 17390
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 20 Sep 2011 10:45:41 -0600
Looks like a jpg to me.
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS ClamAV
Antivirus Function Denial of Service attempt";
flow:established,to_client; file_data; content:"|FF D8 FF|";
content:"|FF ED|"; content:"8BIM"; within:4; distance:16; nocase;
pcre:"/\xff\xed.{16}8BIM\x04(\x09|\x0c)/smi"; metadata:policy
balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,32555; reference:cve,2008-5314;
classtype:attempted-dos; sid:17390; rev:1;)
Hit:
Count:1 Event#6.2 2011-09-20 09:59:44
DOS ClamAV Antivirus Function Denial of Service attempt
72.30.11.242 -> <bleh>
IPVer=4 hlen=5 tos=0 dlen=1440 ID=46407 flags=2 offset=0 ttl=52
chksum=13111
Protocol: 6 sport=80 -> dport=46086
Seq=4150760007 Ack=3116473845 Off=5 Res=0 Flags=***A**** Win=65535
urp=4828 chksum=0
Payload:
48 54 54 50 2F 31 2E 30 20 32 30 30 20 4F 4B 0D HTTP/1.0 200 OK.
0A 43 6F 6E 74 65 6E 74 2D 74 79 70 65 3A 20 69 .Content-type: i
6D 61 67 65 2F 6A 70 65 67 0D 0A 4C 61 73 74 2D mage/jpeg..Last-
6D 6F 64 69 66 69 65 64 3A 20 46 72 69 2C 20 31 modified: Fri, 1
33 20 4D 61 72 20 32 30 30 39 20 30 35 3A 34 38 3 Mar 2009 05:48
3A 32 32 20 47 4D 54 0D 0A 45 78 70 69 72 65 73 :22 GMT..Expires
3A 20 54 75 65 2C 20 30 32 20 4A 75 6E 20 32 30 : Tue, 02 Jun 20
33 37 20 32 30 3A 30 30 3A 30 30 20 47 4D 54 0D 37 20:00:00 GMT.
0A 43 6F 6E 74 65 6E 74 2D 6C 65 6E 67 74 68 3A .Content-length:
20 33 35 33 35 30 0D 0A 0D 0A FF D8 FF E0 00 10 35350..........
4A 46 49 46 00 01 01 01 00 F0 00 F0 00 00 FF E1 JFIF............
02 C2 45 78 69 66 00 00 49 49 2A 00 08 00 00 00 ..Exif..II*.....
09 00 0F 01 02 00 12 00 00 00 7A 00 00 00 10 01 ..........z.....
02 00 0A 00 00 00 8C 00 00 00 1A 01 05 00 01 00 ................
00 00 96 00 00 00 1B 01 05 00 01 00 00 00 9E 00 ................
00 00 28 01 03 00 01 00 00 00 02 00 00 00 31 01 ..(...........1.
02 00 09 00 00 00 A6 00 00 00 32 01 02 00 14 00 ..........2.....
00 00 B0 00 00 00 69 87 04 00 01 00 00 00 C4 00 ......i.........
00 00 2A 88 08 00 02 00 00 00 F9 FF F9 FF 00 00 ..*.............
00 00 4E 49 4B 4F 4E 20 43 4F 52 50 4F 52 41 54 ..NIKON CORPORAT
49 4F 4E 00 4E 49 4B 4F 4E 20 44 34 30 00 F0 00 ION.NIKON D40...
00 00 01 00 00 00 F0 00 00 00 01 00 00 00 56 65 ..............Ve
72 2E 31 2E 31 30 00 00 32 30 30 37 3A 30 39 3A r.1.10..2007:09:
30 38 20 31 37 3A 34 31 3A 32 34 00 20 00 9A 82 08 17:41:24. ...
05 00 01 00 00 00 4A 02 00 00 9D 82 05 00 01 00 ......J.........
00 00 52 02 00 00 22 88 03 00 01 00 00 00 00 00 ..R...".........
00 00 27 88 03 00 01 00 00 00 20 03 00 00 00 90 ..'....... .....
07 00 04 00 00 00 30 32 32 31 03 90 02 00 14 00 ......0221......
00 00 5A 02 00 00 04 90 02 00 14 00 00 00 6E 02 ..Z...........n.
00 00 01 92 0A 00 01 00 00 00 82 02 00 00 02 92 ................
05 00 01 00 00 00 8A 02 00 00 04 92 0A 00 01 00 ................
00 00 92 02 00 00 05 92 05 00 01 00 00 00 9A 02 ................
00 00 07 92 03 00 01 00 00 00 05 00 00 00 08 92 ................
03 00 01 00 00 00 00 00 00 00 09 92 03 00 01 00 ................
00 00 10 00 00 00 0A 92 05 00 01 00 00 00 A2 02 ................
00 00 91 92 02 00 03 00 00 00 34 30 00 00 92 92 ..........40....
02 00 03 00 00 00 34 30 00 00 17 A2 03 00 01 00 ......40........
00 00 02 00 00 00 00 A3 07 00 01 00 00 00 03 00 ................
00 00 01 A3 07 00 01 00 00 00 01 00 00 00 02 A3 ................
07 00 08 00 00 00 AA 02 00 00 01 A4 03 00 01 00 ................
00 00 00 00 00 00 02 A4 03 00 01 00 00 00 00 00 ................
00 00 03 A4 03 00 01 00 00 00 00 00 00 00 04 A4 ................
05 00 01 00 00 00 B2 02 00 00 05 A4 03 00 01 00 ................
00 00 1B 00 00 00 06 A4 03 00 01 00 00 00 00 00 ................
00 00 07 A4 03 00 01 00 00 00 01 00 00 00 08 A4 ................
03 00 01 00 00 00 00 00 00 00 09 A4 03 00 01 00 ................
00 00 00 00 00 00 0A A4 03 00 01 00 00 00 00 00 ................
00 00 0C A4 03 00 01 00 00 00 00 00 00 00 00 00 ................
00 00 01 00 00 00 0D 00 00 00 23 00 00 00 0A 00 ..........#.....
00 00 32 30 30 37 3A 30 38 3A 33 31 20 31 37 3A ..2007:08:31 17:
32 31 3A 34 38 00 32 30 30 37 3A 30 38 3A 33 31 21:48.2007:08:31
20 31 37 3A 32 31 3A 34 38 00 7C A5 05 00 A0 86 17:21:48.|.....
01 00 FF 83 05 00 A0 86 01 00 00 00 00 00 06 00 ................
00 00 24 00 00 00 0A 00 00 00 B4 00 00 00 0A 00 ..$.............
00 00 02 00 02 00 02 01 01 00 01 00 00 00 01 00 ................
00 00 FF E2 02 40 49 43 43 5F 50 52 4F 46 49 4C .....@ICC_PROFIL
45 00 01 01 00 00 02 30 41 44 42 45 02 10 00 00 E......0ADBE....
6D 6E 74 72 52 47 42 20 58 59 5A 20 07 CF 00 06 mntrRGB XYZ ....
00 03 00 00 00 00 00 00 61 63 73 70 41 50 50 4C ........acspAPPL
00 00 00 00 6E 6F 6E 65 00 00 00 00 00 00 00 00 ....none........
00 00 00 00 00 00 00 00 00 00 F6 D6 00 01 00 00 ................
00 00 D3 2D 41 44 42 45 00 00 00 00 00 00 00 00 ...-ADBE........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 0A 63 70 72 74 00 00 00 FC ........cprt....
00 00 00 32 64 65 73 63 00 00 01 30 00 00 00 6B ...2desc...0...k
77 74 70 74 00 00 01 9C 00 00 00 14 62 6B 70 74 wtpt........bkpt
00 00 01 B0 00 00 00 14 72 54 52 43 00 00 01 C4 ........rTRC....
00 00 00 0E 67 54 52 43 00 00 01 D4 00 00 00 0E ....gTRC........
62 54 52 43 00 00 01 E4 00 00 00 0E 72 58 59 5A bTRC........rXYZ
00 00 01 F4 00 00 00 14 67 58 59 5A 00 00 02 08 ........gXYZ....
00 00 00 14 62 58 59 5A 00 00 02 1C 00 00 00 14 ....bXYZ........
74 65 78 74 00 00 00 00 43 6F 70 79 72 69 67 68 text....Copyrigh
74 20 31 39 39 39 20 41 64 6F 62 65 20 53 79 73 t 1999 Adobe Sys
74 65 6D 73 20 49 6E 63 6F 72 70 6F 72 61 74 65 tems Incorporate
64 00 00 00 64 65 73 63 00 00 00 00 00 00 00 11 d...desc........
41 64 6F 62 65 20 52 47 42 20 28 31 39 39 38 29 Adobe RGB (1998)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
58 59 5A 20 00 00 00 00 00 00 F3 51 00 01 00 00 XYZ .......Q....
00 01 16 CC 58 59 5A 20 00 00 00 00 00 00 00 00 ....XYZ ........
00 00 00 00 00 00 00 00 63 75 72 76 00 00 00 00 ........curv....
00 00 00 01 02 33 00 00 63 75 72 76 00 00 00 00 .....3..curv....
00 00 00 01 02 33 00 00 63 75 72 76 00 00 00 00 .....3..curv....
00 00 00 01 02 33 00 00 .....3..
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- <Possible follow-ups>
- Re: Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 rmkml (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)