Snort mailing list archives

[SID 36903, 37674] invalid offset value of content option

From: "jungun.baek" <jungun.baek () axgate com>
Date: Tue, 6 Feb 2018 14:54:17 +0900

Dear Snort-Team,

I had discovered something wrong in the rules, so I want to know if I am misunderstanding.

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer 
overflow attempt"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy 
balanced-ips drop, policy security-ips drop; reference:cve,2016-1287; 
reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike 
<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike>; 
classtype:attempted-admin; sid:36903; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER Cisco ASA IKEv1 invalid fragment length heap buffer 
overflow attempt"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,8,12,relative; metadata:policy 
balanced-ips drop, policy security-ips drop; reference:cve,2016-1287; 
reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike 
<http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike>; 
classtype:attempted-admin; sid:37674; rev:1;)

In the above two rules, content option seems to check "Next payload", "MjVer", "MnVer" of IKE header. According to 
section "3.1 The IKE Header" of RFC4306, Next Playload field was located offset 8. I wonder why the offset of the 
content option is 16.

RFC4306 : https://tools.ietf.org/html/rfc4306#page-41 <https://tools.ietf.org/html/rfc4306#page-41>

Best regards,
Eric Baek

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

[SID 36903, 37674] invalid offset value of content option jungun.baek (Feb 05)
- <Possible follow-ups>
- [SID 36903, 37674] invalid offset value of content option 백정운 via Snort-sigs (Feb 06)