Re: bad range 3038303030303030

["Weir, Jason" <jason.weir () nhrs org>]

Looks like a problem with the following rules... 21902-21906

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"8B8DDA58"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21902; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"0036D8F4"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21903; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"B13CC16A"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21904; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"8E7EE1E6"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21905; rev:1;)

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"FILE-OFFICE Microsoft Windows common controls MSCOMCTL.OCX buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.rtf;
file_data; content:"21433412"; content:"A3E81207"; distance:0; nocase;
content:"436F626A"; distance:0; nocase;
byte_extract:4,8,datasize1,relative,little;
byte_extract:4,0,datasize2,relative,little;
byte_test:4,=,datasize1,0,relative,little;
byte_test:4,=,datasize2,4,relative,little;
byte_test:8,>,3038303030303030,-8,relative,little,string,hex;
metadata:policy balanced-ips drop, policy security-ips drop, service
http, service imap, service pop3; reference:cve,2012-0158;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-027;
classtype:attempted-user; sid:21906; rev:1;)

 

-J

 

From: costin [mailto:costinvilcu () yahoo com] 
Sent: Thursday, May 24, 2012 5:16 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] bad range 3038303030303030

 

Hi, 

i am running 2.9.1.2 version of Snort, and i just applied the vrt for
registered users (the one from 4/24/2012).

After restarting snort, i got the folowing messages:

 

"

Starting Snort on interface eth6...
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
Bad range: 3038303030303030
"

 

I got the same messages for every interfaces i was running snort on.

 

Does anyone have more info about these messages?

 

Thanks,

 
_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!