Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Sigs] 19213 thousands of FP

From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 27 Sep 2011 11:29:49 -0400
I believe that the logic revolved around the mistaken assumption that "?Q?"
was actually rare in subject lines. If at all possible, we'd love to get
some sample packet captures (full-stream if possible) with this character
appearing in a legitimate subject line, so we can add it to our test suite
to ensure we don't end up with further false positives like this in the
future.

That said, the rule now has an appropriate length check; the update will be
released in the next SEU. The PCRE stays, however, to ensure that everything
actually appears on a single line.

On Tue, Sep 27, 2011 at 11:18 AM, matan monitz <mmonitz () gmail com> wrote:


hello
can someone please explain the logic behind the sig?
the ?Q? is very very common and there is no minimal length on the sig
quoting from secunia:

* 2) A boundary error in the List Mailer (imailsrv.exe) can be exploited
to cause a stack-based buffer overflow via an overly-long string in the
Subject field following the "?Q?" operator.*

you can't just alert on this operator appearing in the subject! (btw, ill
be happy if someone can tell me what ?Q? means)

p.s. the pcre should also be removed from the sig




------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: