Snort mailing list archives
Re: Possible FP 17390
From: "Lay, James" <james.lay () wincofoods com>
Date: Tue, 20 Sep 2011 14:07:19 -0600
-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Tuesday, September 20, 2011 12:39 PM To: Lay, James Cc: snort-sigs () lists sourceforge net Subject: [Spam] Re: [Snort-sigs] Possible FP 17390 Importance: Low James, After looking at this, I have a couple questions: #1 -- What version of Snort are you using? #2 -- The vulnerability condition is not in this packet. What are you
using
to log? You may see the actual logged vulnerability condition in an additional packet later, in perhaps a "tagged" packet (depending on
what
interface you are using). But I can't see the vulnerability condition
on
the paste you included below. #3 -- We actually used a jpg to replicate this condition in ClamAV. So, a couple points. First, if you can get full packet capture of the vulnerability condition and surrounding packets, that'd be great.
Because I
can't see the vuln here. Second, if you aren't running ClamAV, I
suggest
you shut this rule off anyway. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
Hey Joel, This is snort 2.9.1 using 2.9.1 VRT rules. The packet cap is via sguil/barnyard2/squert...I don't think it's logging everything, but I got the pcap out of the unified2 file and here's the only other packet, but I can see where it hit now. Think I'll kill this rule...thanks Joel. James 00000578 58 59 5a 20 00 00 00 00 00 00 9c 18 00 00 4f a5 XYZ .... ......O. 00000588 00 00 04 fc 58 59 5a 20 00 00 00 00 00 00 34 8d ....XYZ ......4. 00000598 00 00 a0 2c 00 00 0f 95 58 59 5a 20 00 00 00 00 ...,.... XYZ .... 000005A8 00 00 26 31 00 00 10 2f 00 00 be 9c ff ed 5b da ..&1.../ ......[. 000005B8 50 68 6f 74 6f 73 68 6f 70 20 33 2e 30 00 38 42 Photosho p 3.0.8B 000005C8 49 4d 04 0c 00 00 00 00 5b a2 00 00 00 01 00 00 IM...... [....... 000005D8 01 00 00 00 00 aa 00 00 03 00 00 01 fe 00 00 00 ........ ........ 000005E8 5b 86 00 18 00 01 ff d8 ff ee 00 0e 41 64 6f 62 [....... ....Adob 000005F8 65 00 64 00 00 00 00 01 ff db 00 84 00 06 04 04 e.d..... ........ 00000608 04 05 04 06 05 05 06 09 06 05 06 09 0b 08 06 06 ........ ........ 00000618 08 0b 0c 0a 0a 0b 0a 0a 0c 10 0c 0c 0c 0c 0c 0c ........ ........ 00000628 10 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ........ ........ 00000638 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 01 07 07 ........ ........ 00000648 07 0d 0c 0d 18 10 10 18 14 0e 0e 0e 14 14 0e 0e ........ ........ 00000658 0e 0e 14 11 0c 0c 0c 0c 0c 11 11 0c 0c 0c 0c 0c ........ ........ 00000668 0c 11 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ........ ........ 00000678 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c 0c ff c0 ........ ........ 00000688 00 11 08 00 aa 01 00 03 01 11 00 02 11 01 03 11 ........ ........ 00000698 01 ff dd 00 04 00 20 ff c4 01 a2 00 00 00 07 01 ...... . ........ 000006A8 01 01 01 01 00 00 00 00 00 00 00 00 04 05 03 02 ........ ........ 000006B8 06 01 00 07 08 09 0a 0b 01 00 02 02 03 01 01 01 ........ ........ 000006C8 01 01 00 00 00 00 00 00 00 01 00 02 03 04 05 06 ........ ........ 000006D8 07 08 09 0a 0b 10 00 02 01 03 03 02 04 02 06 07 ........ ........ 000006E8 03 04 02 06 02 73 01 02 03 11 04 00 05 21 12 31 .....s.. .....!.1 000006F8 41 51 06 13 61 22 71 81 14 32 91 a1 07 15 b1 42 AQ..a"q. .2.....B 00000708 23 c1 52 d1 e1 33 16 62 f0 24 72 82 f1 25 43 34 #.R..3.b .$r..%C4 00000718 53 92 a2 b2 63 73 c2 35 44 27 93 a3 b3 36 17 54 S...cs.5 D'...6.T 00000728 64 74 c3 d2 e2 08 26 83 09 0a 18 19 84 94 45 46 dt....&. ......EF 00000738 a4 b4 56 d3 55 28 1a f2 e3 f3 c4 d4 e4 f4 65 75 ..V.U(.. ......eu 00000748 85 95 a5 b5 c5 d5 e5 f5 66 76 86 96 a6 b6 c6 d6 ........ fv...... 00000758 e6 f6 37 47 57 67 77 87 97 a7 b7 c7 d7 e7 f7 38 ..7GWgw. .......8 00000768 48 58 68 78 88 98 a8 b8 c8 d8 e8 f8 29 39 49 59 HXhx.... ....)9IY 00000778 69 79 89 99 a9 b9 c9 d9 e9 f9 2a 3a 4a 5a 6a 7a iy...... ..*:JZjz 00000788 8a 9a aa ba ca da ea fa 11 00 02 02 01 02 03 05 ........ ........ 00000798 05 04 05 06 04 08 03 03 6d 01 00 02 11 03 04 21 ........ m......! 000007A8 12 31 41 05 51 13 61 22 06 71 81 91 32 a1 b1 f0 .1A.Q.a" .q..2... 000007B8 14 c1 d1 e1 23 42 15 52 62 72 f1 33 24 34 43 82 ....#B.R br.3$4C. 000007C8 16 92 53 25 a2 63 b2 c2 07 73 d2 35 e2 44 83 17 ..S%.c.. .s.5.D.. 000007D8 54 93 08 09 0a 18 19 26 36 45 1a 27 64 74 55 37 T......& 6E.'dtU7 000007E8 f2 a3 b3 c3 28 29 d3 e3 f3 84 94 a4 b4 c4 d4 e4 ....().. ........ 000007F8 f4 65 75 85 95 a5 b5 c5 d5 e5 f5 46 56 66 76 86 .eu..... ...FVfv. 00000808 96 a6 b6 c6 d6 e6 f6 47 57 67 77 87 97 a7 b7 c7 .......G Wgw..... 00000818 d7 e7 f7 38 48 58 68 78 88 98 a8 b8 c8 d8 e8 f8 ...8HXhx ........ 00000828 39 49 59 69 79 89 99 a9 b9 c9 d9 e9 f9 2a 3a 4a 9IYiy... .....*:J 00000838 5a 6a 7a 8a 9a aa ba ca da ea fa ff da 00 0c 03 Zjz..... ........ 00000848 01 00 02 11 03 11 00 3f 00 ef b7 f0 41 79 a7 1d .......? ....Ay.. 00000858 4b 42 74 ba 85 d7 d4 f4 23 60 43 8a 56 b1 90 7a KBt..... #`C.V..z 00000868 ff 00 93 9a 5d 46 01 28 19 61 f5 0e b8 ff 00 e2 ....]F.( .a...... 00000878 7f a5 fd 17 9c d6 e9 38 a2 67 87 fc ec 5f f1 3f .......8 .g..._.? 00000888 d2 fe 8b cc b5 ff 00 32 68 1a 8e 9d 75 a7 5e 39 .......2 h...u.^9 00000898 78 2e 15 a1 ba 80 33 c4 fe 04 72 1c 59 1d 73 41 x.....3. ..r.Y.sA 000008A8 a7 96 4e 3d 86 c3 f9 df f1 2e 67 65 9c fc 23 8d ..N=.... ..ge..#. 000008B8 21 f2 3f 92 3c bf ae dc 5c e9 57 de 64 ba 48 76 !.?.<... \.W.d.Hv 000008C8 3a 6a 96 45 67 53 5e 51 c8 ae 3d 3e 71 fe c7 05 :j.EgS^Q ..=>q... 000008D8 5e 6b f6 b3 a2 c5 73 d8 fa 1d ff 00 1e db 8d d7 ^k....s. ........ 000008E8 f9 df f2 63 cc 7e 56 d3 e2 d4 bc ab e7 bb cb 79 ...c.~V. .......y 000008F8 e2 95 15 2c 9a 56 84 49 c9 80 34 f4 dc 45 f0 0f ...,.V.I ..4..E.. 00000908 8d 95 e1 6c bf 80 c0 74 92 41 07 bc 33 df 24 f9 ...l...t .A..3.$. 00000918 ab 5c d3 fc b9 0c 7a fe b0 75 ad 41 01 69 6f da .\....z. .u.A.io. 00000928 24 87 66 72 81 78 a0 a6 c5 69 cb 29 96 59 d9 21 $.fr.x.. .i.).Y.! 00000938 b0 46 3c 99 0c 7e 7c b1 9e 3a 09 00 27 6d fa 83 .F<..~|. .:..'m.. 00000948 fd 99 09 6a 25 54 c8 62 8d a9 af 9d 2d 26 88 37 ...j%T.b ....-&.7 00000958 a8 a1 b7 57 52 7a 30 34 39 59 cb 22 cc 42 28 65 ...WRz04 9Y.".B(e 00000968 f3 6d bc 89 bb 8e 40 95 34 3d d4 d3 c7 2a 24 b6 .m....@. 4=...*$. 00000978 0a 40 c5 e6 48 de 12 03 82 55 dd 7a d7 a3 1f 9e .@..H... .U.z.... 00000988 44 db 2b 41 7f 88 e2 4f 55 e4 65 54 0e d5 62 40 D.+A...O U.eT..b@ 00000998 e9 b7 71 ed 91 dd 6d 28 6f 3e e8 91 cf 3b c9 7d ..q...m( o>...;.} 000009A8 10 60 42 2a 86 05 a8 82 bd 00 fe 66 39 13 20 3a .`B*.... ...f9. : 000009B8 a4 34 9f 9b ba 4d a0 75 fa ed c4 76 e6 80 85 8a .4...M.u ...v.... 000009C8 46 53 5e a4 00 09 c9 e3 cc 7e 98 c9 8c e2 39 90 FS^..... .~....9. 000009D8 a9 61 f9 df e4 bb 63 2a 5c dc 4f c0 a7 38 a5 10 .a....c* \.O..8.. 000009E8 3f 01 c5 5c 54 9a f4 f8 96 9b 65 f0 02 1b 48 ef ?..\T... ..e...H. 000009F8 fc df 9b 51 c9 c5 c8 25 32 7e 6c bd e7 05 d3 6f ...Q...% 2~l....o 00000A08 ac a4 69 00 74 86 92 7a 85 69 5e 92 08 b9 0f f5 ..i.t..z .i^..... 00000A18 73 07 39 c9 01 60 5b 97 8f 82 47 9a 0e ef ce fe s.9..`[. ..G..... 00000A28 6d 96 36 63 70 22 4a 1e 4c 91 84 00 1d ba fc 59 m.6cp"J. L......Y 00000A38 83 2c b9 e4 68 09 7f a5 72 04 71 8e a1 0f 0e a3 .,..h... r.q..... 00000A48 e6 ad 46 78 ed 3e bd 3c b2 4d b4 70 ab 10 18 52 ..Fx.>.< .M.p...R 00000A58 b4 d8 a0 e9 91 96 2d 4c ba 4b e7 c2 91 93 10 ea ......-L .K...... 00000A68 15 ac f4 cb fb ab 69 ee c3 19 23 b7 90 43 29 22 ......i. ..#..C)" 00000A78 a7 d4 fe 5f 8b 9e 3f c9 d9 cf 33 1d fc f8 97 f3 ..._..?. ..3..... 00000A88 98 c7 2b 4e 17 cb 37 c3 ea c3 99 fd fa f3 7a 72 ..+N..7. ......zr 00000A98 a4 4a 77 f8 ca 71 a6 d8 7f 93 67 fc ef b1 3f 9d .Jw..q.. ..g...?. 00000AA8 8f 40 8c 8b ca 8d ea b1 91 0b c1 fe ea 99 c0 60 .@...... .......` 00000AB8 c6 9b 7d a2 f9 2f e4 f0 37 26 5f 62 3f 38 7a 00 ..}../.. 7&_b?8z. 00000AC8 8c 5b 06 b4 b5 68 de 55 8a e9 8f c2 57 8a a0 55 .[...h.U ....W..U 00000AD8 eb f6 07 f1 cc 88 e9 c0 1d 5a ce a6 47 b9 0f 75 ........ .Z..G..u 00000AE8 67 a2 3c 70 06 97 d4 91 g.<p.... ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- <Possible follow-ups>
- Re: Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 rmkml (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Lay, James (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)
- Re: Possible FP 17390 Joel Esler (Sep 20)